Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2025 15:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe
-
Size
428KB
-
MD5
f92ce93ad34f665fe91cc7ebc86015a2
-
SHA1
f9c47fc48898f64d6a19e2a8c6e3a9eaf332ec49
-
SHA256
cb2acf33b3a19911d076502af1dc28c56d577612d3c44745246c237b9a4830f9
-
SHA512
f9a1176d3ae9546232d164e777828eddd322167e35ebcf4e698ccd13c21fdbf13145b7c6e842d801f8626b714777c32d551d49f83637c6d5aac0d86ebb45fd4f
-
SSDEEP
12288:xYiuk8BLIeKZ7EITqWj+Of9paO58/7HgmU2wflK:xYgII2DOPayb
Malware Config
Extracted
Family
cybergate
Version
v1.01.0
Botnet
remote
C2
crush31.no-ip.info:3460
Mutex
CyberGate1
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
ituneshelpo
-
install_file
win32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\ituneshelpo\\win32.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\ituneshelpo\\win32.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe" win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run win32.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 62 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Windows\\system32\\ituneshelpo\\win32.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Windows\\system32\\ituneshelpo\\win32.exe Restart" JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\ituneshelpo\\win32.exe Restart" win32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N7BJ0LU-0314-3MK4-SP87-6EQ42F08IXG7} win32.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 22 3732 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4560 win32.exe 3984 win32.exe 1068 win32.exe 404 win32.exe 1740 win32.exe 2284 win32.exe 1196 win32.exe 4116 win32.exe 2292 win32.exe 4548 win32.exe 1940 win32.exe 2976 win32.exe 1388 win32.exe 3044 win32.exe 4864 win32.exe 2912 win32.exe 1020 win32.exe 4644 win32.exe 4012 win32.exe 3388 win32.exe 2388 win32.exe 3000 win32.exe 1664 win32.exe 4252 win32.exe 4500 win32.exe 3488 win32.exe 3364 win32.exe 1880 win32.exe 5012 win32.exe 5100 win32.exe 3448 win32.exe 4348 win32.exe 540 win32.exe 1796 win32.exe 456 win32.exe 2376 win32.exe 4936 win32.exe 3916 win32.exe 3476 win32.exe 2428 win32.exe 840 win32.exe 2148 win32.exe 2784 win32.exe 1732 win32.exe 212 win32.exe 1584 win32.exe 1028 win32.exe 2512 win32.exe 1952 win32.exe 960 win32.exe 1744 win32.exe 4284 win32.exe 2344 win32.exe 3640 win32.exe 4988 win32.exe 2988 win32.exe 2000 win32.exe 4560 win32.exe 1648 win32.exe 4532 win32.exe 2644 win32.exe 3372 win32.exe 4428 win32.exe 4728 win32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 30 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe File opened for modification \??\PhysicalDrive0 win32.exe -
Drops file in System32 directory 60 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File created C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe File opened for modification C:\Windows\SysWOW64\ituneshelpo\win32.exe win32.exe -
Suspicious use of SetThreadContext 60 IoCs
description pid Process procid_target PID 2452 set thread context of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 4416 set thread context of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4560 set thread context of 3984 4560 win32.exe 93 PID 3984 set thread context of 1068 3984 win32.exe 94 PID 404 set thread context of 1740 404 win32.exe 96 PID 1740 set thread context of 2284 1740 win32.exe 97 PID 1196 set thread context of 4116 1196 win32.exe 101 PID 4116 set thread context of 2292 4116 win32.exe 102 PID 4548 set thread context of 1940 4548 win32.exe 104 PID 1940 set thread context of 2976 1940 win32.exe 105 PID 1388 set thread context of 3044 1388 win32.exe 108 PID 3044 set thread context of 4864 3044 win32.exe 109 PID 2912 set thread context of 1020 2912 win32.exe 113 PID 1020 set thread context of 4644 1020 win32.exe 114 PID 4012 set thread context of 3388 4012 win32.exe 116 PID 3388 set thread context of 2388 3388 win32.exe 117 PID 3000 set thread context of 1664 3000 win32.exe 119 PID 1664 set thread context of 4252 1664 win32.exe 120 PID 4500 set thread context of 3488 4500 win32.exe 122 PID 3488 set thread context of 3364 3488 win32.exe 123 PID 1880 set thread context of 5012 1880 win32.exe 125 PID 5012 set thread context of 5100 5012 win32.exe 126 PID 3448 set thread context of 4348 3448 win32.exe 128 PID 4348 set thread context of 540 4348 win32.exe 129 PID 1796 set thread context of 456 1796 win32.exe 131 PID 456 set thread context of 2376 456 win32.exe 132 PID 4936 set thread context of 3916 4936 win32.exe 134 PID 3916 set thread context of 3476 3916 win32.exe 135 PID 2428 set thread context of 840 2428 win32.exe 139 PID 840 set thread context of 2148 840 win32.exe 140 PID 2784 set thread context of 1732 2784 win32.exe 142 PID 1732 set thread context of 212 1732 win32.exe 143 PID 1584 set thread context of 1028 1584 win32.exe 145 PID 1028 set thread context of 2512 1028 win32.exe 146 PID 1952 set thread context of 960 1952 win32.exe 148 PID 960 set thread context of 1744 960 win32.exe 149 PID 4284 set thread context of 2344 4284 win32.exe 151 PID 2344 set thread context of 3640 2344 win32.exe 152 PID 4988 set thread context of 2988 4988 win32.exe 154 PID 2988 set thread context of 2000 2988 win32.exe 155 PID 4560 set thread context of 1648 4560 win32.exe 157 PID 1648 set thread context of 4532 1648 win32.exe 158 PID 2644 set thread context of 3372 2644 win32.exe 160 PID 3372 set thread context of 4428 3372 win32.exe 161 PID 4728 set thread context of 4452 4728 win32.exe 163 PID 4452 set thread context of 2824 4452 win32.exe 164 PID 4656 set thread context of 1828 4656 win32.exe 166 PID 1828 set thread context of 1888 1828 win32.exe 167 PID 2068 set thread context of 3300 2068 win32.exe 169 PID 3300 set thread context of 3260 3300 win32.exe 170 PID 3000 set thread context of 64 3000 win32.exe 172 PID 64 set thread context of 2836 64 win32.exe 173 PID 4336 set thread context of 1580 4336 win32.exe 175 PID 1580 set thread context of 2424 1580 win32.exe 176 PID 2020 set thread context of 756 2020 win32.exe 178 PID 756 set thread context of 3504 756 win32.exe 179 PID 1092 set thread context of 3004 1092 win32.exe 181 PID 3004 set thread context of 4972 3004 win32.exe 182 PID 1924 set thread context of 1360 1924 win32.exe 184 PID 1360 set thread context of 4636 1360 win32.exe 185 -
resource yara_rule behavioral2/memory/4912-7-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4912-10-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4912-11-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4912-9-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4912-17-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral2/memory/4912-21-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/4912-36-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2288-84-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/1068-99-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2288-103-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/2284-116-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2292-138-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1068-137-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2284-147-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2976-161-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2292-168-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2976-201-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4644-206-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4864-213-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4644-237-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4252-253-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3364-278-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2388-277-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4252-293-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5100-303-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3364-308-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/540-327-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5100-349-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/540-358-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3476-378-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2148-403-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2376-402-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/212-426-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3476-425-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2512-451-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2148-450-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/212-454-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1744-473-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2512-479-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3640-500-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1744-521-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2000-525-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3640-531-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4532-553-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4428-579-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2000-578-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4532-604-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2824-608-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4428-614-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1888-635-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2824-662-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3260-663-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/1888-691-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2836-692-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2424-723-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3260-722-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2836-752-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3504-753-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/2424-783-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4972-784-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3504-811-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/4636-812-0x0000000000400000-0x0000000000456000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 216 MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1068 win32.exe 1068 win32.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 1068 win32.exe 1068 win32.exe 1068 win32.exe 1068 win32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe -
Suspicious use of SetWindowsHookEx 60 IoCs
pid Process 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 4560 win32.exe 3984 win32.exe 404 win32.exe 1740 win32.exe 1196 win32.exe 4116 win32.exe 4548 win32.exe 1940 win32.exe 1388 win32.exe 3044 win32.exe 2912 win32.exe 1020 win32.exe 4012 win32.exe 3388 win32.exe 3000 win32.exe 1664 win32.exe 4500 win32.exe 3488 win32.exe 1880 win32.exe 5012 win32.exe 3448 win32.exe 4348 win32.exe 1796 win32.exe 456 win32.exe 4936 win32.exe 3916 win32.exe 2428 win32.exe 840 win32.exe 2784 win32.exe 1732 win32.exe 1584 win32.exe 1028 win32.exe 1952 win32.exe 960 win32.exe 4284 win32.exe 2344 win32.exe 4988 win32.exe 2988 win32.exe 4560 win32.exe 1648 win32.exe 2644 win32.exe 3372 win32.exe 4728 win32.exe 4452 win32.exe 4656 win32.exe 1828 win32.exe 2068 win32.exe 3300 win32.exe 3000 win32.exe 64 win32.exe 4336 win32.exe 1580 win32.exe 2020 win32.exe 756 win32.exe 1092 win32.exe 3004 win32.exe 1924 win32.exe 1360 win32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2452 wrote to memory of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 2452 wrote to memory of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 2452 wrote to memory of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 2452 wrote to memory of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 2452 wrote to memory of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 2452 wrote to memory of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 2452 wrote to memory of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 2452 wrote to memory of 4416 2452 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 87 PID 4416 wrote to memory of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4416 wrote to memory of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4416 wrote to memory of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4416 wrote to memory of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4416 wrote to memory of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4416 wrote to memory of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4416 wrote to memory of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4416 wrote to memory of 4912 4416 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 90 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55 PID 4912 wrote to memory of 3416 4912 JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f92ce93ad34f665fe91cc7ebc86015a2.exe"4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4560 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3984 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:404 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1740 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2284
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1196 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4116 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2292
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4548 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1940 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2976
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1388 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3044 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:4864
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2912 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1020 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:4644
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4012 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3388 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2388
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1664 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:4252
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4500 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3488 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3364
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1880 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5012 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:5100
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4348 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:540
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1796 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2376
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4936 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3916 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3476
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2428 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:840 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2148
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2784 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:212
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1584 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1028 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2512
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:1744
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4284 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2344 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:3640
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4988 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2988 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:2000
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4560 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:4532
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3372 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
PID:4428
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4728 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4452 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2824
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4656 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1828 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:1888
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2068 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3300 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:3260
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2836
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4336 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1580 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2424
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2020 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:756 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:3504
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1092 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4972
-
-
-
-
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\system32\ituneshelpo\win32.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1924 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"7⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1360 -
C:\Windows\SysWOW64\ituneshelpo\win32.exe"C:\Windows\SysWOW64\ituneshelpo\win32.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:4636
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTRERDY5QjctRjlDNC00MTY3LTkyNEUtRDMwQUY4MThEOTI0fSIgdXNlcmlkPSJ7NjU1M0FFMzctMUVGOC00QjdCLTg0N0YtRTM0NjBBMzdDMTVCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MURFNDc0ODgtNzhFOS00ODM2LTgwNDAtRkUzRjlDMzQzQTQ4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDMwNzA5NTk1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD5f844afd1549c6d4e5bff3453e6b1cbe4
SHA1b4cec1ec79d21aa9d35ab2223bf3b9090c6f1bb5
SHA256eb307c9924be8391b88069552544733b63b4dd0224ed80f921ac9d1800973f0b
SHA5121273856eb9ae126f65291c39773efec00014fd75cd1c15a6f96ff8b83702fd339a492b695e971d61f9e9c1b7b4f16249341d99350b945dcb0eb0e045a6664893
-
Filesize
227KB
MD5eb62b2632ef58fc5265bec3501bbf8f0
SHA1268902df17255dd4cec37b09edc6e98a6d89a3a1
SHA256fe2bf51df5b3896e61098dd1435c154e3c49ed2fe216096df326edf266b61102
SHA512ded12d5db0d748235f3ccce00ad7d44c297fdd600008f2a538bacacfe393bed3a80ca65b32b9934b6211f97d9c1f3f42b946fe2833737d3c3cb12970e1c2a97e
-
Filesize
428KB
MD5f92ce93ad34f665fe91cc7ebc86015a2
SHA1f9c47fc48898f64d6a19e2a8c6e3a9eaf332ec49
SHA256cb2acf33b3a19911d076502af1dc28c56d577612d3c44745246c237b9a4830f9
SHA512f9a1176d3ae9546232d164e777828eddd322167e35ebcf4e698ccd13c21fdbf13145b7c6e842d801f8626b714777c32d551d49f83637c6d5aac0d86ebb45fd4f