Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-02-2025 15:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe
-
Size
428KB
-
MD5
f92ce93ad34f665fe91cc7ebc86015a2
-
SHA1
f9c47fc48898f64d6a19e2a8c6e3a9eaf332ec49
-
SHA256
cb2acf33b3a19911d076502af1dc28c56d577612d3c44745246c237b9a4830f9
-
SHA512
f9a1176d3ae9546232d164e777828eddd322167e35ebcf4e698ccd13c21fdbf13145b7c6e842d801f8626b714777c32d551d49f83637c6d5aac0d86ebb45fd4f
-
SSDEEP
12288:xYiuk8BLIeKZ7EITqWj+Of9paO58/7HgmU2wflK:xYgII2DOPayb
Malware Config
Extracted
Family
cybergate
Version
v1.01.0
Botnet
remote
C2
crush31.no-ip.info:3460
Mutex
CyberGate1
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
ituneshelpo
-
install_file
win32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\ituneshelpo\\win32.exe" JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\ituneshelpo\\win32.exe" JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 62 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Windows\\SysWOW64\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Windows\\SysWOW64\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Windows\\system32\\ituneshelpo\\win32.exe Restart" JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Windows\\SysWOW64\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Windows\\SysWOW64\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Windows\\system32\\ituneshelpo\\win32.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe -
Executes dropped EXE 64 IoCs
pid Process 600 win32.exe 2036 win32.exe 3024 win32.exe 296 win32.exe 1804 win32.exe 2188 win32.exe 2292 win32.exe 856 win32.exe 2276 win32.exe 2544 win32.exe 2692 win32.exe 2828 win32.exe 2936 win32.exe 1812 win32.exe 2676 win32.exe 1212 win32.exe 2964 win32.exe 2984 win32.exe 1732 win32.exe 1316 win32.exe 1572 win32.exe 3036 win32.exe 3040 win32.exe 1344 win32.exe 2464 win32.exe 728 win32.exe 844 win32.exe 1588 win32.exe 1940 win32.exe 1832 win32.exe 3008 win32.exe 2124 win32.exe 2772 win32.exe 316 win32.exe 2088 win32.exe 1484 win32.exe 2028 win32.exe 2940 win32.exe 2496 win32.exe 1248 win32.exe 2584 win32.exe 3028 win32.exe 1324 win32.exe 1088 win32.exe 3004 win32.exe 2156 win32.exe 2996 win32.exe 1988 win32.exe 3012 win32.exe 2804 win32.exe 2624 win32.exe 2168 win32.exe 836 win32.exe 876 win32.exe 2356 win32.exe 2588 win32.exe 1252 win32.exe 1284 win32.exe 2456 win32.exe 3036 win32.exe 440 win32.exe 700 win32.exe 2288 win32.exe 964 win32.exe -
Loads dropped DLL 58 IoCs
pid Process 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe 292 explorer.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 30 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe -
Drops file in System32 directory 60 IoCs
description ioc Process File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe -
Suspicious use of SetThreadContext 60 IoCs
description pid Process procid_target PID 2548 set thread context of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 1644 set thread context of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 600 set thread context of 2036 600 win32.exe 34 PID 2036 set thread context of 3024 2036 win32.exe 35 PID 296 set thread context of 1804 296 win32.exe 37 PID 1804 set thread context of 2188 1804 win32.exe 38 PID 2292 set thread context of 856 2292 win32.exe 40 PID 856 set thread context of 2276 856 win32.exe 41 PID 2544 set thread context of 2692 2544 win32.exe 44 PID 2692 set thread context of 2828 2692 win32.exe 45 PID 2936 set thread context of 1812 2936 win32.exe 47 PID 1812 set thread context of 2676 1812 win32.exe 48 PID 1212 set thread context of 2964 1212 win32.exe 50 PID 2964 set thread context of 2984 2964 win32.exe 51 PID 1732 set thread context of 1316 1732 win32.exe 53 PID 1316 set thread context of 1572 1316 win32.exe 54 PID 3036 set thread context of 3040 3036 win32.exe 56 PID 3040 set thread context of 1344 3040 win32.exe 57 PID 2464 set thread context of 728 2464 win32.exe 59 PID 728 set thread context of 844 728 win32.exe 60 PID 1588 set thread context of 1940 1588 win32.exe 62 PID 1940 set thread context of 1832 1940 win32.exe 63 PID 3008 set thread context of 2124 3008 win32.exe 65 PID 2124 set thread context of 2772 2124 win32.exe 66 PID 316 set thread context of 2088 316 win32.exe 68 PID 2088 set thread context of 1484 2088 win32.exe 69 PID 2028 set thread context of 2940 2028 win32.exe 71 PID 2940 set thread context of 2496 2940 win32.exe 72 PID 1248 set thread context of 2584 1248 win32.exe 74 PID 2584 set thread context of 3028 2584 win32.exe 75 PID 1324 set thread context of 1088 1324 win32.exe 77 PID 1088 set thread context of 3004 1088 win32.exe 78 PID 2156 set thread context of 2996 2156 win32.exe 80 PID 2996 set thread context of 1988 2996 win32.exe 81 PID 3012 set thread context of 2804 3012 win32.exe 83 PID 2804 set thread context of 2624 2804 win32.exe 84 PID 2168 set thread context of 836 2168 win32.exe 86 PID 836 set thread context of 876 836 win32.exe 87 PID 2356 set thread context of 2588 2356 win32.exe 89 PID 2588 set thread context of 1252 2588 win32.exe 90 PID 1284 set thread context of 2456 1284 win32.exe 92 PID 2456 set thread context of 3036 2456 win32.exe 93 PID 440 set thread context of 700 440 win32.exe 95 PID 700 set thread context of 2288 700 win32.exe 96 PID 964 set thread context of 1592 964 win32.exe 98 PID 1592 set thread context of 2724 1592 win32.exe 99 PID 3012 set thread context of 2816 3012 win32.exe 101 PID 2816 set thread context of 2928 2816 win32.exe 102 PID 316 set thread context of 2112 316 win32.exe 104 PID 2112 set thread context of 2992 2112 win32.exe 105 PID 1432 set thread context of 1624 1432 win32.exe 107 PID 1624 set thread context of 592 1624 win32.exe 108 PID 692 set thread context of 1600 692 win32.exe 110 PID 1600 set thread context of 840 1600 win32.exe 111 PID 1728 set thread context of 892 1728 win32.exe 113 PID 892 set thread context of 2548 892 win32.exe 114 PID 2316 set thread context of 2752 2316 win32.exe 116 PID 2752 set thread context of 2648 2752 win32.exe 117 PID 1000 set thread context of 1212 1000 win32.exe 119 PID 1212 set thread context of 1228 1212 win32.exe 120 -
resource yara_rule behavioral1/memory/1716-19-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1716-26-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1716-21-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1716-30-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1716-31-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1716-33-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1716-32-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1716-329-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/292-561-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral1/memory/292-599-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral1/memory/2188-632-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2276-667-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3024-665-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2188-704-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2276-712-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2676-747-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2984-784-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2828-782-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1572-827-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2676-826-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1344-866-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2984-865-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1572-908-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/844-909-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1344-948-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1832-949-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2772-987-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/844-986-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1484-1024-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1832-1023-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2772-1027-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2496-1061-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1484-1065-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3028-1099-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2496-1136-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3004-1137-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3028-1175-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1988-1176-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3004-1212-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2624-1213-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/876-1253-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1988-1252-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2624-1294-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1252-1295-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3036-1334-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/876-1333-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2288-1375-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1252-1374-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/3036-1402-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2724-1414-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2288-1423-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2928-1460-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2992-1502-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2724-1501-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2928-1544-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/592-1545-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2992-1588-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/840-1589-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2548-1635-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/592-1634-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/840-1679-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2648-1680-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2548-1724-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/1228-1725-0x0000000000400000-0x0000000000456000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 62 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 3024 win32.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 3024 win32.exe 3024 win32.exe 3024 win32.exe 3024 win32.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 3024 win32.exe 3024 win32.exe 3024 win32.exe 3024 win32.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 3024 win32.exe 3024 win32.exe 3024 win32.exe 3024 win32.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 3024 win32.exe 3024 win32.exe 3024 win32.exe 3024 win32.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 2188 win32.exe 3024 win32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe -
Suspicious use of SetWindowsHookEx 60 IoCs
pid Process 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 600 win32.exe 2036 win32.exe 296 win32.exe 1804 win32.exe 2292 win32.exe 856 win32.exe 2544 win32.exe 2692 win32.exe 2936 win32.exe 1812 win32.exe 1212 win32.exe 2964 win32.exe 1732 win32.exe 1316 win32.exe 3036 win32.exe 3040 win32.exe 2464 win32.exe 728 win32.exe 1588 win32.exe 1940 win32.exe 3008 win32.exe 2124 win32.exe 316 win32.exe 2088 win32.exe 2028 win32.exe 2940 win32.exe 1248 win32.exe 2584 win32.exe 1324 win32.exe 1088 win32.exe 2156 win32.exe 2996 win32.exe 3012 win32.exe 2804 win32.exe 2168 win32.exe 836 win32.exe 2356 win32.exe 2588 win32.exe 1284 win32.exe 2456 win32.exe 440 win32.exe 700 win32.exe 964 win32.exe 1592 win32.exe 3012 win32.exe 2816 win32.exe 316 win32.exe 2112 win32.exe 1432 win32.exe 1624 win32.exe 692 win32.exe 1600 win32.exe 1728 win32.exe 892 win32.exe 2316 win32.exe 2752 win32.exe 1000 win32.exe 1212 win32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 2548 wrote to memory of 1644 2548 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 30 PID 1644 wrote to memory of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 1644 wrote to memory of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 1644 wrote to memory of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 1644 wrote to memory of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 1644 wrote to memory of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 1644 wrote to memory of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 1644 wrote to memory of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 1644 wrote to memory of 1716 1644 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 31 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21 PID 1716 wrote to memory of 1184 1716 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:292 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:600 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2036 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:296 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2188
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:856 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2276
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2692 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2828
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2936 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1812 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2676
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1212 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2984
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1316 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1572
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3036 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3040 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1344
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2464 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:728 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:844
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1588 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1940 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1832
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3008 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2124 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2772
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:316 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2088 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1484
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2028 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2940 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2496
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1248 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3028
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1324 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1088 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3004
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2996 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1988
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2804 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2624
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2168 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:836 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:876
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2356 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2588 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1252
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1284 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2456 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3036
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:440 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:700 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2288
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:964 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1592 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2724
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2816 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2928
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:316 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2992
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1624 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:592
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:692 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1600 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:840
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:892 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2548
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2316 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2752 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2648
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1000 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1212 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:1228
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD5eb62b2632ef58fc5265bec3501bbf8f0
SHA1268902df17255dd4cec37b09edc6e98a6d89a3a1
SHA256fe2bf51df5b3896e61098dd1435c154e3c49ed2fe216096df326edf266b61102
SHA512ded12d5db0d748235f3ccce00ad7d44c297fdd600008f2a538bacacfe393bed3a80ca65b32b9934b6211f97d9c1f3f42b946fe2833737d3c3cb12970e1c2a97e
-
Filesize
227KB
MD555ef30d1e0ff43c29c5849410ce0ce63
SHA1102dc1e2b7b6ea611152a617ede6b445504f51c8
SHA256b669bbef1443d045236c4abbb3ddba7ff047e5a2d922749ba3c97f539acfca53
SHA512d798b61447a669753b59d545695dec6229f20f73da4f8879c6ade02e42aa7e6e04776da49d7b8533d9e4b9ced128cdeebc8cf0016777fe38eab23143fade29a9
-
Filesize
227KB
MD5f844afd1549c6d4e5bff3453e6b1cbe4
SHA1b4cec1ec79d21aa9d35ab2223bf3b9090c6f1bb5
SHA256eb307c9924be8391b88069552544733b63b4dd0224ed80f921ac9d1800973f0b
SHA5121273856eb9ae126f65291c39773efec00014fd75cd1c15a6f96ff8b83702fd339a492b695e971d61f9e9c1b7b4f16249341d99350b945dcb0eb0e045a6664893
-
Filesize
428KB
MD5f92ce93ad34f665fe91cc7ebc86015a2
SHA1f9c47fc48898f64d6a19e2a8c6e3a9eaf332ec49
SHA256cb2acf33b3a19911d076502af1dc28c56d577612d3c44745246c237b9a4830f9
SHA512f9a1176d3ae9546232d164e777828eddd322167e35ebcf4e698ccd13c21fdbf13145b7c6e842d801f8626b714777c32d551d49f83637c6d5aac0d86ebb45fd4f