Overview

overview

10

Static

static

10

JaffaCakes...6d.exe

windows7-x64

10

JaffaCakes...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 14:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe

  • Size

    667KB

  • MD5

    ca91d7233de94df30ccbb02bcf7eb86d

  • SHA1

    7a96c6de2a629170e4bc24a81df72e24a87d77ae

  • SHA256

    1ae7b586ef1b22df289badb804323398d4672dcc9da455d89ffcf22814a31267

  • SHA512

    cd3687d7766f8fe2b80f319944cf8a128f34b243e45b3f0ad1973138445a95a4938df00941f917491dfaf379bdab9a53946426bf5a9e06d7c07a9e655c28a3f5

  • SSDEEP

    12288:WbMqmEEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WIeEEb4Ev/ATEXKGVnGTzpA1Ec1A

Score
10/10
cycbotmodiloaderbackdoordiscoveryevasionpersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 8 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe
      JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\DV245F.exe
        C:\Users\Admin\DV245F.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Users\Admin\pblen.exe
          "C:\Users\Admin\pblen.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2748
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
      • C:\Users\Admin\aohost.exe
        C:\Users\Admin\aohost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Users\Admin\aohost.exe
          aohost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2624
      • C:\Users\Admin\bohost.exe
        C:\Users\Admin\bohost.exe
        3⤵
        • Modifies security service
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2068
        • C:\Users\Admin\bohost.exe
          C:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\275A7\EC9AF.exe%C:\Users\Admin\AppData\Roaming\275A7
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1720
        • C:\Users\Admin\bohost.exe
          C:\Users\Admin\bohost.exe startC:\Program Files (x86)\A71C6\lvvm.exe%C:\Program Files (x86)\A71C6
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2476
      • C:\Users\Admin\dohost.exe
        C:\Users\Admin\dohost.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2520
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_ca91d7233de94df30ccbb02bcf7eb86d.exe
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1500
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2804
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3064

Network

  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    88.221.134.83
    a1363.dscg.akamai.net
    IN A
    88.221.134.146
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    88.221.134.83:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
    Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
    ETag: 0x8DD1A40E476D877
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 729f9bbc-001e-0005-142b-4c8531000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sun, 19 Jan 2025 14:41:54 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    bohost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    2.18.237.131
  • flag-ie
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    Remote address:
    2.18.237.131:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: HqJzZuA065RHozzmOcAUiQ==
    Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
    ETag: 0x8DD34DBD43549F4
    x-ms-request-id: 7863c09d-d01e-0006-54ca-666455000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sun, 19 Jan 2025 14:41:54 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV6f5d79d1.0
    ms-cv-esi: CASMicrosoftCV6f5d79d1.0
    X-RTag: RT
  • flag-us
    DNS
    csc3-2004-crl.verisign.com
    bohost.exe
    Remote address:
    8.8.8.8:53
    Request
    csc3-2004-crl.verisign.com
    IN A
    Response
  • flag-us
    DNS
    012webpages.com
    bohost.exe
    Remote address:
    8.8.8.8:53
    Request
    012webpages.com
    IN A
    Response
    012webpages.com
    IN A
    103.27.200.238
  • flag-th
    GET
    http://012webpages.com/christian13.jpg?pr=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D
    bohost.exe
    Remote address:
    103.27.200.238:80
    Request
    GET /christian13.jpg?pr=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D HTTP/1.0
    Connection: close
    Host: 012webpages.com
    Accept: */*
    User-Agent: chrome/9.0
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 19 Jan 2025 14:41:57 GMT
    Content-Type: text/html
    Content-Length: 166
    Connection: close
    Location: http://www.012webpages.com/christian13.jpg?pr=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D
    Server: Nginx_Rc-Cr
    etag: on
  • flag-us
    DNS
    ourthreedomains.com
    bohost.exe
    Remote address:
    8.8.8.8:53
    Request
    ourthreedomains.com
    IN A
    Response
  • flag-us
    DNS
    seeworldonlines.com
    bohost.exe
    Remote address:
    8.8.8.8:53
    Request
    seeworldonlines.com
    IN A
    Response
  • flag-us
    DNS
    webhomefordomains.com
    bohost.exe
    Remote address:
    8.8.8.8:53
    Request
    webhomefordomains.com
    IN A
    Response
  • flag-us
    DNS
    www.microsoft.com
    bohost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    95.100.245.144
  • flag-us
    DNS
    www.google.com
    bohost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-gb
    GET
    http://www.google.com/
    bohost.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.0
    Connection: close
    Host: www.google.com
    Accept: */*
    Response
    HTTP/1.0 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPCetLwGIjC3f3OoWJh7MVWejZrBKSxfQM7TjDMOYhIlZwG9-jCv6MUK9tOVkoLeIkI5C783Pe4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI8J60vAYQrqm3wAMSBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-HuXlDMj3ufWroSL82v2a5Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sun, 19 Jan 2025 14:42:56 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-Xl_-XiP9sCJpxiV4qoF3BVxfguxOGvjp8AhxjBWIi54RrAKTSQaQ; expires=Fri, 18-Jul-2025 14:42:56 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-gb
    GET
    http://www.google.com/
    bohost.exe
    Remote address:
    142.250.187.196:80
    Request
    GET / HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPGetLwGIjBN4uruTfrxWCiWbJQXA6jCXhAVWYkNsiKYdIH3VlWiG78ZV26VqyrUXT6tOdFZAA4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwI8Z60vAYQl8XPjQISBLXXsFM
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-tBk03UMzQUvs5blxk6MsNw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sun, 19 Jan 2025 14:42:57 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-VpT8-UZKFtqzK-r0oN1mHXlycYFyU2lAb4My7-LHT9JJYiSBoIAw; expires=Fri, 18-Jul-2025 14:42:57 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
    Connection: close
  • flag-gb
    GET
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPGetLwGIjBN4uruTfrxWCiWbJQXA6jCXhAVWYkNsiKYdIH3VlWiG78ZV26VqyrUXT6tOdFZAA4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    bohost.exe
    Remote address:
    142.250.187.196:80
    Request
    GET /sorry/index?continue=http://www.google.com/&q=EgS117BTGPGetLwGIjBN4uruTfrxWCiWbJQXA6jCXhAVWYkNsiKYdIH3VlWiG78ZV26VqyrUXT6tOdFZAA4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
    Connection: close
    Pragma: no-cache
    Host: www.google.com
    Response
    HTTP/1.1 429 Too Many Requests
    Date: Sun, 19 Jan 2025 14:42:57 GMT
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Content-Type: text/html
    Server: HTTP server (unknown)
    Content-Length: 3086
    X-XSS-Protection: 0
    Connection: close
  • 88.221.134.83:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    497 B
     1.7kB
     6
    5

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 2.18.237.131:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    439 B
     1.7kB
     5
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 103.27.200.238:80
    http://012webpages.com/christian13.jpg?pr=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D
    http
    bohost.exe
    388 B
     641 B
     5
    5

    HTTP Request

    GET http://012webpages.com/christian13.jpg?pr=gHZutDyMv5rJej%2Fia9nrmsl6giWz%2BJZbVyA%3D

    HTTP Response

    301
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 127.0.0.1:62182
  • 142.250.187.196:80
    http://www.google.com/
    http
    bohost.exe
    302 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.187.196:80
    http://www.google.com/
    http
    bohost.exe
    307 B
     1.5kB
     5
    5

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.187.196:80
    http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPGetLwGIjBN4uruTfrxWCiWbJQXA6jCXhAVWYkNsiKYdIH3VlWiG78ZV26VqyrUXT6tOdFZAA4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    http
    bohost.exe
    526 B
     3.7kB
     6
    7

    HTTP Request

    GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGPGetLwGIjBN4uruTfrxWCiWbJQXA6jCXhAVWYkNsiKYdIH3VlWiG78ZV26VqyrUXT6tOdFZAA4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

    HTTP Response

    429
  • 127.0.0.1:62182
    bohost.exe
  • 127.0.0.1:62182
    bohost.exe
  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    88.221.134.83
    88.221.134.146

  • 8.8.8.8:53
    www.microsoft.com
    dns
    bohost.exe
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    2.18.237.131

  • 8.8.8.8:53
    csc3-2004-crl.verisign.com
    dns
    bohost.exe
    72 B
     127 B
     1
    1

    DNS Request

    csc3-2004-crl.verisign.com

  • 8.8.8.8:53
    012webpages.com
    dns
    bohost.exe
    61 B
     77 B
     1
    1

    DNS Request

    012webpages.com

    DNS Response

    103.27.200.238

  • 8.8.8.8:53
    ourthreedomains.com
    dns
    bohost.exe
    65 B
     138 B
     1
    1

    DNS Request

    ourthreedomains.com

  • 8.8.8.8:53
    seeworldonlines.com
    dns
    bohost.exe
    65 B
     138 B
     1
    1

    DNS Request

    seeworldonlines.com

  • 8.8.8.8:53
    webhomefordomains.com
    dns
    bohost.exe
    67 B
     140 B
     1
    1

    DNS Request

    webhomefordomains.com

  • 8.8.8.8:53
    www.microsoft.com
    dns
    bohost.exe
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    95.100.245.144

  • 8.8.8.8:53
    www.google.com
    dns
    bohost.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\275A7\71C6.75A
    Filesize

    600B

    MD5

    91a216851f109cf139a3b4b903a2dac0

    SHA1

    fec017110ef8c8e18104f9697f63536d34016c6a

    SHA256

    cbcceac368fb190719de120be0cbd94cef8ab700cec061b20612efb90a1a6021

    SHA512

    afc43d09d7f4048794dd6b7ba404a39c01b004fcdc16ad4ef6194983887ce9ed9405d32ba19b80fdc92df1f1048219a25eb365659a74add80875a1565094598c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\275A7\71C6.75A
    Filesize

    996B

    MD5

    1a18e180ed9b9c98726c2128621f0092

    SHA1

    8d0680d3aaa14e53bbe72cc12aca30339f9b79d6

    SHA256

    d94aef3ff9ecea67710e83495f19d4ac1eec46bf76d9046252a78dc41fa47e30

    SHA512

    4d896f319bc2b04ad134292fbbe0f01a0266028521d24995bfec1ea1eca19f7f370c7ea0e69c25656bf80078309557fc1f143e8a93df633057dd6f91554e4cb3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\275A7\71C6.75A
    Filesize

    1KB

    MD5

    0449ac6899229beefa30d5a20bfac403

    SHA1

    f3bab9eb460f88eaaab616620b2b0bdba7fe074f

    SHA256

    b4f69125f689cddab63472a35860d513767da1a781c4ea1040b2e56e32a99ab1

    SHA512

    bef6567cb566e4357a0493e553d902882cc59703258d6b2cefd2c66e61e3d6b38b39aac3b1d667751e767a64b34cbaa1d943533d6694a434369a346139280bd1

    Download Submit

  • \Users\Admin\DV245F.exe
    Filesize

    216KB

    MD5

    00b1af88e176b5fdb1b82a38cfdce35b

    SHA1

    c0f77262df92698911e0ac2f7774e93fc6b06280

    SHA256

    50f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59

    SHA512

    9e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f

    Download Submit

  • \Users\Admin\aohost.exe
    Filesize

    152KB

    MD5

    4401958b004eb197d4f0c0aaccee9a18

    SHA1

    50e600f7c5c918145c5a270b472b114faa72a971

    SHA256

    4c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b

    SHA512

    f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6

    Download Submit

  • \Users\Admin\bohost.exe
    Filesize

    173KB

    MD5

    0578a41258df62b7b4320ceaafedde53

    SHA1

    50e7c0b00f8f1e5355423893f10ae8ee844d70f4

    SHA256

    18941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf

    SHA512

    5870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09

    Download Submit

  • \Users\Admin\dohost.exe
    Filesize

    24KB

    MD5

    d7390e209a42ea46d9cbfc5177b8324e

    SHA1

    eff57330de49be19d2514dd08e614afc97b061d2

    SHA256

    d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5

    SHA512

    de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d

    Download Submit

  • \Users\Admin\pblen.exe
    Filesize

    216KB

    MD5

    b416717f8853eaa18a08b96adcce5e41

    SHA1

    1fd43cc11da918b26d55e1afdc63de9e321cb255

    SHA256

    84ec2a4aad29d427c80786b784d7648b6d2df5351d53f40ffb9b4b1d3fc06b55

    SHA512

    5065386c4f1edd9fbf00629b5449103d4694412b2b1cb5cb235292cdf6acb2f9408a2825dbb2f78743e755075fd6ee6005e7c4f8d00b63ca924b034f99ef894b

    Download Submit

  • memory/1720-101-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2068-158-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2068-258-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2068-103-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2068-272-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2320-5-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-260-0x0000000002870000-0x000000000332A000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2320-263-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-0-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-6-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-12-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-15-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-77-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-13-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2320-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-2-0x0000000000400000-0x00000000004CF000-memory.dmp

    Filesize

    828KB

    Download

  • memory/2404-10-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2476-156-0x0000000076EA0000-0x0000000076F9A000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/2476-155-0x0000000076D80000-0x0000000076E9F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2476-154-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2624-102-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-54-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-56-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-60-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-66-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-67-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2624-52-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2884-63-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.