268fc2013b2620acbfa8a726b3b78ff584bf7b067e7bbe15ccc85e671a6745e9

Analysis

max time kernel
17s
max time network
77s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
Size

78KB
MD5

8aafd50aac3e9730d337421060bbd201
SHA1

aaab5812392d7e620736211d47c02ca0793a3e3f
SHA256

268fc2013b2620acbfa8a726b3b78ff584bf7b067e7bbe15ccc85e671a6745e9
SHA512

83c1bf5cacc7059bb2b7ad44d041e1cf1e3afeda6487a5c4a967229780fc54573fed17dc1ff413ed86f372d31c59a76696aa79df3ec78749b0405676ec9d80cd
SSDEEP

1536:26mrbxxuzuCTChMLJUK3bRPr1mb0KdeWbdTTo:2vbLQ5kgUGbRDsmGdTTo

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2828	smss.exe
2656	smss.exe

Loads dropped DLL 11 IoCs

pid	Process
2796	regsvr32.exe
2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
2828	smss.exe
2828	smss.exe
2828	smss.exe
2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
2656	smss.exe
2656	smss.exe
2656	smss.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{533DA319-AD1D-43BB-94C3-CB651A8F712C}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\ = "??????"	regedit.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tao.ico	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
File opened for modification	C:\Windows\t.ico	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
File opened for modification	C:\Windows\OEC\QDLMJNKZUQ.dll	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
File opened for modification	C:\Windows\X\smss.exe	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
File created	C:\Windows\Survival_0.txt	smss.exe
File opened for modification	C:\Windows\Survival_0.txt	smss.exe
File created	C:\Windows\userid.txt	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
File opened for modification	C:\Windows\LJA\CJS.vbe	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
File created	C:\Windows\reg.reg	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	smss.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0\ = "QvodAdBlocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ = "_Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\TypeLib\ = "{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ = "Qvod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0\0\win32\ = "C:\\Windows\\OEC\\QDLMJNKZUQ.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\ProgID\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\Clsid\ = "{533DA319-AD1D-43BB-94C3-CB651A8F712C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\TypeLib\ = "{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0\HELPDIR\ = "C:\\Windows\\OEC"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\TypeLib\ = "{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\InprocServer32\ = "C:\\Windows\\OEC\\QDLMJNKZUQ.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02F9CB9B-2A26-4817-AA60-42F14AF98C1C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0164A626-C205-475A-AE30-25442BF5B95F}\ = "_Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{533DA319-AD1D-43BB-94C3-CB651A8F712C}\TypeLib	regsvr32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2676	regedit.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
2828	smss.exe
2828	smss.exe
2828	smss.exe
2656	smss.exe
2656	smss.exe
2656	smss.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2840	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	33
PID 2068 wrote to memory of 2840	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	33
PID 2068 wrote to memory of 2840	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	33
PID 2068 wrote to memory of 2840	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	33
PID 2068 wrote to memory of 2840	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	33
PID 2068 wrote to memory of 2840	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	33
PID 2068 wrote to memory of 2840	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	33
PID 2068 wrote to memory of 2796	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	34
PID 2068 wrote to memory of 2796	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	34
PID 2068 wrote to memory of 2796	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	34
PID 2068 wrote to memory of 2796	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	34
PID 2068 wrote to memory of 2796	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	34
PID 2068 wrote to memory of 2796	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	34
PID 2068 wrote to memory of 2796	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	34
PID 2068 wrote to memory of 2460	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	35
PID 2068 wrote to memory of 2460	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	35
PID 2068 wrote to memory of 2460	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	35
PID 2068 wrote to memory of 2460	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	35
PID 2068 wrote to memory of 2460	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	35
PID 2068 wrote to memory of 2460	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	35
PID 2068 wrote to memory of 2460	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	35
PID 2460 wrote to memory of 2676	2460	cmd.exe	37
PID 2460 wrote to memory of 2676	2460	cmd.exe	37
PID 2460 wrote to memory of 2676	2460	cmd.exe	37
PID 2460 wrote to memory of 2676	2460	cmd.exe	37
PID 2460 wrote to memory of 2676	2460	cmd.exe	37
PID 2460 wrote to memory of 2676	2460	cmd.exe	37
PID 2460 wrote to memory of 2676	2460	cmd.exe	37
PID 2068 wrote to memory of 2828	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	38
PID 2068 wrote to memory of 2828	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	38
PID 2068 wrote to memory of 2828	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	38
PID 2068 wrote to memory of 2828	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	38
PID 2068 wrote to memory of 2828	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	38
PID 2068 wrote to memory of 2828	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	38
PID 2068 wrote to memory of 2828	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	38
PID 2068 wrote to memory of 2656	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	39
PID 2068 wrote to memory of 2656	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	39
PID 2068 wrote to memory of 2656	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	39
PID 2068 wrote to memory of 2656	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	39
PID 2068 wrote to memory of 2656	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	39
PID 2068 wrote to memory of 2656	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	39
PID 2068 wrote to memory of 2656	2068	JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe	39
PID 2656 wrote to memory of 2572	2656	smss.exe	41
PID 2656 wrote to memory of 2572	2656	smss.exe	41
PID 2656 wrote to memory of 2572	2656	smss.exe	41
PID 2656 wrote to memory of 2572	2656	smss.exe	41
PID 2656 wrote to memory of 2572	2656	smss.exe	41
PID 2656 wrote to memory of 2572	2656	smss.exe	41
PID 2656 wrote to memory of 2572	2656	smss.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\LJA\CJS.vbe" 0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\OEC\QDLMJNKZUQ.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regedit.exe /s C:\Windows\reg.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Windows\reg.reg
    3⤵
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2676
- C:\Windows\X\smss.exe
  C:\Windows\X\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Windows\X\smss.exe
  C:\Windows\X\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "microsoft" /d "c:\windows\x\smss.exe " /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LJA\CJS.vbe

Filesize
1.4MB

MD5
d5def5a3bf2c5852124a7ad61c1bb570

SHA1
f116aef31e3f71b50c92165fd3c8d67db14c840c

SHA256
20f75b6128f0b69cb17e90535881c7312f1c86646e11543aeb8683ee02dfda0f

SHA512
f94eeed41ad1ce2e9abc688962e9a2c0226669cc1d2827f2ad28002f57b9911de4dbefae1a458a00662369cb5f9445841988b303fc2efc994169df59de02bf20

Download Submit
C:\Windows\OEC\QDLMJNKZUQ.dll

Filesize
3.3MB

MD5
cf16d09f528e62d9fd1f6ece077fea4a

SHA1
1101369d845fee1a1d63c2081cdb8049e1ebf091

SHA256
f33d07de17519eb516eadb4486a6b97f688381d43dd12f99e0dc3ef85e25c62d

SHA512
e905e887551e105bd6ab28731e1f8db1faa977bd3f5c86e05bf9a54fa176352d3aec2e3dd8ef11b62a2e0bc9978c589927a811c64c2f5f81caab7747fa58d535

Download Submit
C:\Windows\Survival_0.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Windows\X\smss.exe

Filesize
7.5MB

MD5
fd76a8964eeffbc3ba0a2cf2de833b02

SHA1
e5c3649e07c00121b26293ae57be16071d21e982

SHA256
e20015cd6122389fa8f05c7b3b577207ae849af68447c695a728cd4595bf00ea

SHA512
045c7586b61e2908fb247eb9417d46200f775dcbe1f6ffc8f91c3ca2a4df4a097bd1cca27668dd3ba2f0888b417225f34d97777b7c386a40181da2489e96e90a

Download Submit
C:\Windows\reg.reg

Filesize
185B

MD5
d786c602ee4d1c98f13347b1421563da

SHA1
31726c39ffe4da9ebaf71cd1033ed88909006697

SHA256
62b603de263f2f1a0cde4c17ede80e935aff6ef0df2f03d90aee896f497ff616

SHA512
61a218d9bf1d6dd3e137fa048a5b343ebffd82eef93cff7852f9e47dc05d3cf50fb04834e97329135244af6e1975d7b6df57d9797a99bf210813f7ff7c2acb4e

Download Submit
C:\Windows\userid.txt

Filesize
5B

MD5
3719bc4d13977453b5d8c9d8f1e7462a

SHA1
c24505bcdb2b09980198730cd4791acad1796dcc

SHA256
197a4e2a0db3b79c8240827c9ea2ed1476c8a5ad7e22c02c832ba3a0a8bff9a1

SHA512
9bebfe9c377389f34afd15c2f4e2b027edfec3ec4883f0df09c8a0e4d22dbb9692eb8b4264c89165bc336c458e5488a7cd743bd5f99ae5d4b71a8b3c2805f1a5

Download Submit
memory/2068-0-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2068-2-0x0000000000B70000-0x0000000000CFF000-memory.dmp

Filesize
1.6MB

Download
memory/2068-6-0x0000000005B60000-0x0000000006BC2000-memory.dmp

Filesize
16.4MB

Download
memory/2068-80-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2656-69-0x00000000054F0000-0x0000000006552000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads