modiloader | de0b048c4e3e2ac7233819ae2b264aee7fc0c48d65c3a1af3e0744d66d396a7e

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe
Size

674KB
MD5

fcdf2f5a69e7e27cdc780c09c486d3fe
SHA1

7ba542aecf46dd90a393b9bcad4ba2a14e70b49c
SHA256

de0b048c4e3e2ac7233819ae2b264aee7fc0c48d65c3a1af3e0744d66d396a7e
SHA512

3c76c8fe3af54957d3781aa56a7d2ff05aab2836606c370ca9552b90afafcf99dcdfd637381128ab0fb67b1e699e91f5f7ee146c0f2e765e35a8f5bf94c2a57b
SSDEEP

12288:/m6OWzr++VlFGWQTPW2wMrQ6/2gmRHECF3Z4mxxIoEtlK+kt9T2MM:5OW1VlFCzW2wUQ1gQQmXBG1

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/1056-63-0x0000000000400000-0x0000000000503006-memory.dmp	modiloader_stage2
behavioral1/memory/2872-73-0x0000000000400000-0x0000000000503006-memory.dmp	modiloader_stage2
behavioral1/memory/1276-72-0x0000000000060000-0x000000000010A000-memory.dmp	modiloader_stage2
behavioral1/memory/2544-71-0x0000000000400000-0x0000000000503006-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2544	55555.exe
1056	rejoice08.exe
2872	rejoice08.exe

Loads dropped DLL 4 IoCs

pid	Process
2780	fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe
2780	fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe
2544	55555.exe
2544	55555.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6F00DF21-BD78-11EF-9D09-F245C6AC432F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6F00DF23-BD78-11EF-9D09-F245C6AC432F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6F00DF21-BD78-11EF-9D09-F245C6AC432F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6F00DF2C-BD78-11EF-9D09-F245C6AC432F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 1276	2872	rejoice08.exe	34

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe	55555.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe	55555.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	55555.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	rejoice08.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55555.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 205186318551db01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{859C2CBD-0691-42CE-B68F-06156E569D5F}\WpadDecisionTime = 608b37338551db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{3E823B3F-1CB1-458B-8B71-21C600427E4B}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070c000300120013002c000a00fa0100000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "krfoafv"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5c-28-ae-b5-6a	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070c000300120013002c0009001403	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5c-28-ae-b5-6a\WpadDecisionTime = 608b37338551db01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5c-28-ae-b5-6a\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{859C2CBD-0691-42CE-B68F-06156E569D5F}\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070c000300120013002c000700050100000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = a0999c348551db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
824	IEXPLORE.EXE
824	IEXPLORE.EXE
824	IEXPLORE.EXE
824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2544	2780	fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2544	2780	fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2544	2780	fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2544	2780	fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe	30
PID 2544 wrote to memory of 1056	2544	55555.exe	31
PID 2544 wrote to memory of 1056	2544	55555.exe	31
PID 2544 wrote to memory of 1056	2544	55555.exe	31
PID 2544 wrote to memory of 1056	2544	55555.exe	31
PID 2544 wrote to memory of 2412	2544	55555.exe	33
PID 2544 wrote to memory of 2412	2544	55555.exe	33
PID 2544 wrote to memory of 2412	2544	55555.exe	33
PID 2544 wrote to memory of 2412	2544	55555.exe	33
PID 2872 wrote to memory of 1276	2872	rejoice08.exe	34
PID 2872 wrote to memory of 1276	2872	rejoice08.exe	34
PID 2872 wrote to memory of 1276	2872	rejoice08.exe	34
PID 2872 wrote to memory of 1276	2872	rejoice08.exe	34
PID 2872 wrote to memory of 1276	2872	rejoice08.exe	34
PID 1276 wrote to memory of 1736	1276	IEXPLORE.EXE	35
PID 1276 wrote to memory of 1736	1276	IEXPLORE.EXE	35
PID 1276 wrote to memory of 1736	1276	IEXPLORE.EXE	35
PID 1276 wrote to memory of 824	1276	IEXPLORE.EXE	37
PID 1276 wrote to memory of 824	1276	IEXPLORE.EXE	37
PID 1276 wrote to memory of 824	1276	IEXPLORE.EXE	37
PID 1276 wrote to memory of 824	1276	IEXPLORE.EXE	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcdf2f5a69e7e27cdc780c09c486d3fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\55555.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\55555.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe"
    3⤵
    - Executes dropped EXE
    PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2412

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:1736
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat

Filesize
152B

MD5
6e0e71acfc6961518f0989a284afb57f

SHA1
eb24b7215277c28c4df2c5487404b81c919b12f8

SHA256
fe9ad350ece53bb4e4216b6d202d5b5002706cce8845bd6688c05529dac67891

SHA512
5caac99bd27f295a01d7333d1aba70d80870da6107cc37ea67728474e64e52e8c10d600bcdd2e24e4d4de35baf5b2d26f291e461f53493d77bd511b792bbfec9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
78f63fc7aaa672703763135bb1a6092b

SHA1
889c5cefb919d1665e3b1abf3b84ccc5a917a2a7

SHA256
5b44384fdd8fa13b9fe6d645eb0f7a4925c7f7bd0bc88588cc07fabe2e171cff

SHA512
e3a840f775547bce5836eda23c007feaf8d9fd9eab9b7ae3a1be97343a3c999140df29a2195bcd99b8c1d5504db8ae27160294656039f1844642af6afad7e37b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e92180d3f083b670770654873e047de3

SHA1
e1556bee60030e3d389e57cce3dd5c3cea5a0093

SHA256
bc82253f5a20db5b0c33119932eecbbd4600970ea2f5294b1b8fa9f64534ffed

SHA512
c3914efcd1bffce4d999fdb9c6eadef3f5ee22c409846471bb14d5797694f11dccb94dfdecc1a3b9adebf82ab7757c88b6c9529e0ebe684f1de2d674a823fbbb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2a00a94d4a1ecd4f34e2fce804142b3

SHA1
a9f00a32e945113ed083873459782009ff851c5c

SHA256
6612e9f7da267f511d7d06597211881601b372f6f4a2892ab78475af12938e21

SHA512
5f7140b8abeb7ee84bd937fabc16acbe4cf8652bb2a62e0a5d9fc80602780727a4575ceb5fe419f60c92e4d5d1ae2630d98a1643a611b485cec819899e7bf361

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17ceb8851f3be93c9c197977f44bb6a4

SHA1
da18d4b47e62a40aa58da2e48c54608a845027a2

SHA256
a3b7a222c87c457f22d2afb6400a163718f28d9be243c1b8a7e304d9155259ae

SHA512
e07b2a28c4a30c54beea00cc37dfc149acc9850fa72415cb9a383860e9d4c805662e640b35901bebc609f6c364330d0a091018c7848e36c8a21b13d721df35ac

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b09726ee59d05a7b373197d71c4c431

SHA1
d669d52755a21fb85fd7de1e0f8b0327bd0db69a

SHA256
44c142183518ca6de0fe1c5488c7446d0d04a66bf161c3e232138262699234fb

SHA512
9d26e5ef589d8abbde11c00691f9167965302d7d41bf12245dbf4588833a82fe91ecae0315e321acdb3d4c71cc743a661ff801c3ef10686174606181cb9a6964

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98533f65b2c18f49d1e9c7f7db2a5786

SHA1
b61cf6b6de91c7cb30e2ec5639525ee8a29b7f74

SHA256
0dc5773e9b4c311f194501d409356eb538a72bc88c58e67d58239e7cfd924ee2

SHA512
35a871c19e50ef78435fad204ecdd87554c415d1ce5aa52ad29731c74dad6f0f4ca059536693ab48f75d0948c52abf57a7b7d56a77601e4835eeb890e513b498

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d01db0f6b0b7f8abe501cf644ff2efa

SHA1
95a2031acd21b2c6bbfb8a2ed49067f739fd5849

SHA256
c1e28f14e8d52efeb18873647158070ca2597979cb44f0be013b159642006cbd

SHA512
e3d58fc1afa890694d85da159256f3486a95f4ab0f0d71179a1d16f463507fe4721d8dc4a4bfe030788b4cd35ccd6483fba5fcb1783d39e59ccc67d23785b174

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34ce5ce7b4d92ccecb7035c16db0e9e4

SHA1
94a829786da5f432c88eb7ad4451ac423767a80b

SHA256
1324fd080dfa008734446b433ed76bb61d41b234cfd993af872efcb8b0ae50e5

SHA512
8704ad1c9251f2424683c315445c7e9a0e504d5d97a5392635410e42a17b155147e22caa161e421884b0d493c5a6064184711f1dbfc40c51686106c2dc8a8b66

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43a9bf4fb8f8d4d96c0dd07e49e380e5

SHA1
8781fa23cfbb92c240152d5afdc7d8a05c07327e

SHA256
888daaec88a76c8b6e5fe35c845642334db6eb62d3cfe1dc98e37069d920ff96

SHA512
f842bae6e32f2f4a4ffbc4574b9f834967b15ac0c2aef21bb88c0b1cb899bd70a5756d671b4249a2a20cb92ddd833433a4ecd7a94016f060513185b316897096

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
765efd4ecb270756eb555eb078e0a0ff

SHA1
eceb37e570767c3257fef0d2e011c1ffb0461c1d

SHA256
ab4df8147eeeb4986c6600223f09e2b6fe134b255a41e641642ca0b24c8d31de

SHA512
2c6ed636e46a79c1434e0973c6ce0cfe30090c136a02b05a19a1c02e57c2c290977d2ae73d3ddf248db9afa274ca13b092c53a0f12901ad6e6e6fb3c74faf977

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22b3f734f3d74777411c4a4505c365ef

SHA1
05c24ffd38ba058fe4e5a6a2269b296d68e692dc

SHA256
bb8e9e981f92650d73ec6c066d26203ebe633dc81f9b728845a4464536b41656

SHA512
801202419f8ce1235bff7838b432fd9039d403197dfeb912a4a4ca7e748487e3ab4815386c4b773cde871e61a954c8df85ff5c67a5462317c05a6baf0831d967

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8398890e827810d4fc3a312c1d0d869f

SHA1
a4997394f3274df24191f56fbb94418dc0187e6b

SHA256
f891f90a9c5ddf1510c8b2e7ed8ebd40517dabf9fef0a0585c07136e81fa5914

SHA512
a64a76e3ae121b63b2c68c0f4d3c54b98f8542928f19a5809acd0e41a5bdb1aaf6d47a3018a7829f92eec4a3c6bd1d69a61771d4c58763179c9739efb7dea93c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d587c8cbbb3d8ca7d8a3e2dd7d38745c

SHA1
f9ce9a8dab17e611b9c8154558b72de0dd14134a

SHA256
192ea28ebe3b5e6b219821d6ebaceef0398d053f74b5315870e8796170e8b35f

SHA512
27cbbd4f1a4c5737e7befab5e44649d4e79be4d38f63ff68986ecd159fe2758a91b000a5c5d36695b80cca9016ee02c53c93184523c6bcf7f3d55926e09b4aa5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a92f2e802519fa5fca5217e1aed3341e

SHA1
def70e2275bdaa83678f05eca337b911ec10656a

SHA256
cb732a8cd8da20a1438f51f498094fca2d83ad26cbb390db10757b0a02c774df

SHA512
6710ca5444c055e77169add5e00e29fac5167cb2b9f32058054ce65c30213edb51339db87cfc8087b81d5eac723fa374ec4426aff5f456e59112bb3e0ab41484

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdfc9595a1e40a39b7204cf537601d9b

SHA1
194077dc3fd2ff53916a892135b88a143b915d67

SHA256
1ec1d8903d696f43c94260d0d17af8fbcbe329360a503d36c871d4e99ead0a74

SHA512
df4867b0a02fe39e255009cdb729c2131e98785edd49766e8c5bfcf44d5934991b5b3739e5ecbd634c14bcd49da89d1cb15f65d532d5ac6fcb9b01350a071c92

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89f3d180920de141bf13b26d7b5e129b

SHA1
3e7b5ee2610aefba49bbca907a00bcf13bdf8e24

SHA256
61d4ebb7f712bee7295f93372c7bc8ba9218a6c1759f75476d3ae2e6e85b2cba

SHA512
55038aaa586171820458f5c362dc2932c60a47e1504954feb27bf24a79b06f7f46de69a2b7b010d9333b3315f156754e10fabbe041da0dfbd130217b528f8eb9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da35f441acd5a8ada54c3383c78da48f

SHA1
94ed0bd7f26991e21bcdf530e5238fef38979b14

SHA256
4646e694821b7c361518f854d985bca23ee6222ed0e437b750231366367fd532

SHA512
a013f36f91f3bf8af9592b74eeffa1ab5e701759d1a3cde86244829c7f71e26e6a08a436a76e04db90a65d8872f8068b4498b60fbc9cdff29144ed96ce32ed0c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcb2de4a5049200d2116f180b3873cd5

SHA1
6a4a8db3d6f00a0251d28856386e99861b9567f6

SHA256
8cfd4cb2bd7fd23bfb448fd12903010de3d05080b2096958bd48e4a717fdd6ab

SHA512
e899552a21c62ac6820d2b72fd25a96cf4f8afd59b63dd21beafecf359ef7205194cd8fcec6b98299dde4d36a65422f93b8b6be11433bd14af2b6e7c98d2b91d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1af440b0c8985d7890d4a07ae4c8b069

SHA1
e65129709be9a9bb0b01b9cbe6c0bd7ea28e79f0

SHA256
53579806254ffd84fc2da3af55ab00898b9db694414eb2b4790d3258aea62143

SHA512
7a028e694a2874037786f23ec0907d64b89bd97d1fd242530182fedd6bddfc7bbb8cc2d3909238012128dfe0ac3b0012e619140cfe5a0f8919aaf5ccc8385e41

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8798b99019c4787407ce2e343fce4893

SHA1
48a1e9e5b914f15b86c0cde2269530c9a6c269bd

SHA256
af21dbf3006aa95987af9bd1fbae6d805c45a0706a2e1545e44b6a1c8a5234cc

SHA512
7c37bae03d17decf844dc468ab7f42a6e97553bcd9b052767a04d91a1dd80e5be5d49c199941147d3661dc03ce560fe30ee615d881a3dad76032d92589cc3601

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8059fb0f72e27fa927cd9879a68827a0

SHA1
fb12a241a08280b8fab8766342879f871ad50fcd

SHA256
d3a1b99bfd6cf193ee6a29a2a4b1ab03c15b49f6412eddb796f6aa6c717e2ac8

SHA512
2ed83eea3b1393edae6d154df23a90f14987b6bf1808795b8cf276a6988b408f1181f9eefe26ec979550c85f41e4a367bcfd48e8ba1022e7eade09bb018a554f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab67A.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar68E.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar83B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwFAB4.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwFAB5.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\55555.exe

Filesize
298KB

MD5
d542d46af789979f832f1f79f5418906

SHA1
90ea9e0903f85e48cb36379bf3589f6a29838774

SHA256
501233410c4ea01f515ba7a33808d225a82781d580f4e2c19905042af287c9ba

SHA512
3ecb7c20a91bbc8a7110ff035fbab9ca9fca64c17ae2673ed9f78b8cb554dbdf5df229f366b3aacbba7e284b35c45102dfa335cb3af8fde36600f4cdf2c049bf

Download Submit
memory/1056-63-0x0000000000400000-0x0000000000503006-memory.dmp

Filesize
1.0MB

Download
memory/1276-72-0x0000000000060000-0x000000000010A000-memory.dmp

Filesize
680KB

Download
memory/2544-71-0x0000000000400000-0x0000000000503006-memory.dmp

Filesize
1.0MB

Download
memory/2780-32-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2780-31-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2780-13-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-12-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-15-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2780-76-0x0000000001000000-0x000000000110A000-memory.dmp

Filesize
1.0MB

Download
memory/2780-16-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-0-0x0000000001000000-0x000000000110A000-memory.dmp

Filesize
1.0MB

Download
memory/2780-17-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-75-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/2780-18-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-19-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-20-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-21-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-22-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-23-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-24-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-25-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-26-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-27-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-28-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2780-29-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2780-30-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2780-14-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/2780-33-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2780-34-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2780-35-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2780-36-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2780-37-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2780-43-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2780-38-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2780-39-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2780-40-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2780-41-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2780-42-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2780-11-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2780-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2780-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2780-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2780-4-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2780-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2780-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2780-7-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2872-73-0x0000000000400000-0x0000000000503006-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads