Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 14:06
Behavioral task
behavioral1
Sample
JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe
-
Size
1022KB
-
MD5
6d2ca378dca854f53ab93733bc6a66e0
-
SHA1
faea17001089803c8cb4d5d0d972e80884638986
-
SHA256
4b0f1329d7c4bd996157b31609646bc42335155b01d4458da058ef836604768e
-
SHA512
961ddc6c0a9f9a4f77a5a16feee9519ed19a070db69f2569d3d434dc42b15ac38b6949029eb206d6b4666311459f1a0658d436eed40181aeb092e09ce6d464dc
-
SSDEEP
24576:XA6tUdbj3z+q2R2Xh9LBu6CDLYS1eXZO+NJqoyhZBERuOZ:XAOUdbjz+q2cXhLu68LZ1eJOGyJEss
Malware Config
Extracted
Family
darkcomet
Botnet
JAVAappDrBy
C2
yolofu.zapto.org:1604
Mutex
DC_MUTEX-7GD0C71
Attributes
-
InstallPath
Java\JavawsJRE06.exe
-
gencode
jVbPS4va9ElN
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
JavaUpdater
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe" JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile JavawsJRE06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JavawsJRE06.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" JavawsJRE06.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" JavawsJRE06.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JavawsJRE06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JavawsJRE06.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2636 attrib.exe 2592 attrib.exe -
Deletes itself 1 IoCs
pid Process 2600 notepad.exe -
Executes dropped EXE 3 IoCs
pid Process 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2588 JavawsJRE06.exe 2288 JavawsJRE06.exe -
Loads dropped DLL 3 IoCs
pid Process 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2588 JavawsJRE06.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JavawsJRE06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JavawsJRE06.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinLogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JavawsJRE06.exe" JavawsJRE06.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe" JavawsJRE06.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinLogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe" JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\JavawsJRE06.exe" JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2676-30-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2588-102-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2676 set thread context of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2588 set thread context of 2288 2588 JavawsJRE06.exe 39 -
resource yara_rule behavioral1/memory/2676-0-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/files/0x00080000000164c8-9.dat upx behavioral1/memory/2676-30-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2560-65-0x0000000003A40000-0x0000000003B01000-memory.dmp upx behavioral1/memory/2588-102-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JavawsJRE06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JavawsJRE06.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeSecurityPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeTakeOwnershipPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeLoadDriverPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeSystemProfilePrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeSystemtimePrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeProfSingleProcessPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeIncBasePriorityPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeCreatePagefilePrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeBackupPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeRestorePrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeShutdownPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeDebugPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeSystemEnvironmentPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeChangeNotifyPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeRemoteShutdownPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeUndockPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeManageVolumePrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeImpersonatePrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeCreateGlobalPrivilege 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: 33 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: 34 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: 35 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe Token: SeIncreaseQuotaPrivilege 2288 JavawsJRE06.exe Token: SeSecurityPrivilege 2288 JavawsJRE06.exe Token: SeTakeOwnershipPrivilege 2288 JavawsJRE06.exe Token: SeLoadDriverPrivilege 2288 JavawsJRE06.exe Token: SeSystemProfilePrivilege 2288 JavawsJRE06.exe Token: SeSystemtimePrivilege 2288 JavawsJRE06.exe Token: SeProfSingleProcessPrivilege 2288 JavawsJRE06.exe Token: SeIncBasePriorityPrivilege 2288 JavawsJRE06.exe Token: SeCreatePagefilePrivilege 2288 JavawsJRE06.exe Token: SeBackupPrivilege 2288 JavawsJRE06.exe Token: SeRestorePrivilege 2288 JavawsJRE06.exe Token: SeShutdownPrivilege 2288 JavawsJRE06.exe Token: SeDebugPrivilege 2288 JavawsJRE06.exe Token: SeSystemEnvironmentPrivilege 2288 JavawsJRE06.exe Token: SeChangeNotifyPrivilege 2288 JavawsJRE06.exe Token: SeRemoteShutdownPrivilege 2288 JavawsJRE06.exe Token: SeUndockPrivilege 2288 JavawsJRE06.exe Token: SeManageVolumePrivilege 2288 JavawsJRE06.exe Token: SeImpersonatePrivilege 2288 JavawsJRE06.exe Token: SeCreateGlobalPrivilege 2288 JavawsJRE06.exe Token: 33 2288 JavawsJRE06.exe Token: 34 2288 JavawsJRE06.exe Token: 35 2288 JavawsJRE06.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2588 JavawsJRE06.exe 2588 JavawsJRE06.exe 2588 JavawsJRE06.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 2588 JavawsJRE06.exe 2588 JavawsJRE06.exe 2588 JavawsJRE06.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2288 JavawsJRE06.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2676 wrote to memory of 2560 2676 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 30 PID 2560 wrote to memory of 2856 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 31 PID 2560 wrote to memory of 2856 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 31 PID 2560 wrote to memory of 2856 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 31 PID 2560 wrote to memory of 2856 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 31 PID 2560 wrote to memory of 2996 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 32 PID 2560 wrote to memory of 2996 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 32 PID 2560 wrote to memory of 2996 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 32 PID 2560 wrote to memory of 2996 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 32 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2560 wrote to memory of 2600 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 34 PID 2856 wrote to memory of 2592 2856 cmd.exe 36 PID 2856 wrote to memory of 2592 2856 cmd.exe 36 PID 2856 wrote to memory of 2592 2856 cmd.exe 36 PID 2856 wrote to memory of 2592 2856 cmd.exe 36 PID 2560 wrote to memory of 2588 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 37 PID 2560 wrote to memory of 2588 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 37 PID 2560 wrote to memory of 2588 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 37 PID 2560 wrote to memory of 2588 2560 JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe 37 PID 2996 wrote to memory of 2636 2996 cmd.exe 38 PID 2996 wrote to memory of 2636 2996 cmd.exe 38 PID 2996 wrote to memory of 2636 2996 cmd.exe 38 PID 2996 wrote to memory of 2636 2996 cmd.exe 38 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 PID 2588 wrote to memory of 2288 2588 JavawsJRE06.exe 39 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2592 attrib.exe 2636 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d2ca378dca854f53ab93733bc6a66e0.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2636
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe"C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe"C:\Users\Admin\AppData\Roaming\Java\JavawsJRE06.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2288
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5cfa2d457ba7732041050688bbe654b82
SHA130dabbe4a737835662c3bb5fe460182167970841
SHA2566e9abf64201189f769ebc4959ac077918332fb8aebf75961f657fd4d8992d320
SHA5121d9f90bab00a748bd46e032b110e3a4647b9f8838c396acd9352246037a0ec5642fe782e3548433ebbab77603776b36a45d347d71225ca665013ca9982ca44ec
-
Filesize
1022KB
MD56d2ca378dca854f53ab93733bc6a66e0
SHA1faea17001089803c8cb4d5d0d972e80884638986
SHA2564b0f1329d7c4bd996157b31609646bc42335155b01d4458da058ef836604768e
SHA512961ddc6c0a9f9a4f77a5a16feee9519ed19a070db69f2569d3d434dc42b15ac38b6949029eb206d6b4666311459f1a0658d436eed40181aeb092e09ce6d464dc