Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
-
Size
904KB
-
MD5
1cd7f3d1789fce8865ceb8a1efef4c91
-
SHA1
a990cddb8534faab48e2f97ee5b699bd5311623c
-
SHA256
122a4b018095b213e356097ddd724c2708fdcddd4ff89d72e73af150f3b5188a
-
SHA512
e1da51d7c204658d922460d0f7c750b2f0a6768c7f3071ed7ce908303d775cacf63f0132f8aee04fca52057b7b4ed231e017e3eeb1eace8c9605f521e125538f
-
SSDEEP
12288:y3Or9fnnE3OtPtNOzifk58f0LHj5iL3wBt6PSPRfsV0eQWdFfefL432hjvB7eb25:3aetlT86f07jUMBtPRjmeTKCjvde0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
Processes:
javaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe" 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe -
Sets file to hidden 1 TTPs 24 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1200 attrib.exe 5020 attrib.exe 4848 attrib.exe 2568 attrib.exe 1224 attrib.exe 2936 attrib.exe 544 attrib.exe 552 attrib.exe 2780 attrib.exe 5100 attrib.exe 3488 attrib.exe 3112 attrib.exe 1292 attrib.exe 1600 attrib.exe 2288 attrib.exe 4056 attrib.exe 572 attrib.exe 2068 attrib.exe 2084 attrib.exe 928 attrib.exe 1992 attrib.exe 4404 attrib.exe 1508 attrib.exe 4116 attrib.exe -
Checks computer location settings 2 TTPs 24 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
javaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation javaupdate.exe -
Executes dropped EXE 64 IoCs
Processes:
javaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exepid process 4588 javaupdate.exe 4572 javaupdate.exe 2396 javaupdate.exe 4652 javaupdate.exe 4736 javaupdate.exe 3100 javaupdate.exe 4752 javaupdate.exe 1040 javaupdate.exe 5024 javaupdate.exe 2648 javaupdate.exe 3900 javaupdate.exe 556 javaupdate.exe 3164 javaupdate.exe 1492 javaupdate.exe 956 javaupdate.exe 4428 javaupdate.exe 4200 javaupdate.exe 1936 javaupdate.exe 3036 javaupdate.exe 5060 javaupdate.exe 2868 javaupdate.exe 4352 javaupdate.exe 4508 javaupdate.exe 4968 javaupdate.exe 5036 javaupdate.exe 696 javaupdate.exe 4376 javaupdate.exe 3568 javaupdate.exe 3948 javaupdate.exe 4884 javaupdate.exe 4976 javaupdate.exe 2180 javaupdate.exe 3816 javaupdate.exe 4428 javaupdate.exe 3460 javaupdate.exe 5064 javaupdate.exe 2756 javaupdate.exe 3972 javaupdate.exe 1132 javaupdate.exe 1692 javaupdate.exe 2916 javaupdate.exe 4852 javaupdate.exe 5084 javaupdate.exe 5036 javaupdate.exe 1380 javaupdate.exe 568 javaupdate.exe 5116 javaupdate.exe 4880 javaupdate.exe 3412 javaupdate.exe 212 javaupdate.exe 1496 javaupdate.exe 4076 javaupdate.exe 8 javaupdate.exe 1200 javaupdate.exe 4252 javaupdate.exe 5008 javaupdate.exe 2948 javaupdate.exe 2964 javaupdate.exe 3652 javaupdate.exe 4296 javaupdate.exe 1560 javaupdate.exe 3212 javaupdate.exe 1240 javaupdate.exe 4168 javaupdate.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe" javaupdate.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 24 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
javaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exedescription ioc process File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe File opened for modification \??\PhysicalDrive0 javaupdate.exe -
Drops file in System32 directory 64 IoCs
Processes:
javaupdate.exejavaupdate.exeattrib.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exeattrib.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exejavaupdate.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe File created C:\Windows\SysWOW64\javaupdate.exe javaupdate.exe File opened for modification C:\Windows\SysWOW64\ javaupdate.exe File opened for modification C:\Windows\SysWOW64\javaupdate.exe attrib.exe -
Suspicious use of SetThreadContext 48 IoCs
Processes:
1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exedescription pid process target process PID 4836 set thread context of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 set thread context of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 4588 set thread context of 4572 4588 javaupdate.exe javaupdate.exe PID 4572 set thread context of 2396 4572 javaupdate.exe javaupdate.exe PID 4652 set thread context of 4736 4652 javaupdate.exe javaupdate.exe PID 4736 set thread context of 3100 4736 javaupdate.exe javaupdate.exe PID 4752 set thread context of 1040 4752 javaupdate.exe javaupdate.exe PID 1040 set thread context of 5024 1040 javaupdate.exe javaupdate.exe PID 2648 set thread context of 3900 2648 javaupdate.exe javaupdate.exe PID 3900 set thread context of 556 3900 javaupdate.exe javaupdate.exe PID 3164 set thread context of 1492 3164 javaupdate.exe javaupdate.exe PID 1492 set thread context of 956 1492 javaupdate.exe javaupdate.exe PID 4428 set thread context of 4200 4428 javaupdate.exe javaupdate.exe PID 4200 set thread context of 1936 4200 javaupdate.exe javaupdate.exe PID 3036 set thread context of 5060 3036 javaupdate.exe javaupdate.exe PID 5060 set thread context of 2868 5060 javaupdate.exe javaupdate.exe PID 4352 set thread context of 4508 4352 javaupdate.exe javaupdate.exe PID 4508 set thread context of 4968 4508 javaupdate.exe javaupdate.exe PID 5036 set thread context of 696 5036 javaupdate.exe javaupdate.exe PID 696 set thread context of 4376 696 javaupdate.exe javaupdate.exe PID 3568 set thread context of 3948 3568 javaupdate.exe javaupdate.exe PID 3948 set thread context of 4884 3948 javaupdate.exe javaupdate.exe PID 4976 set thread context of 2180 4976 javaupdate.exe javaupdate.exe PID 2180 set thread context of 3816 2180 javaupdate.exe javaupdate.exe PID 4428 set thread context of 3460 4428 javaupdate.exe javaupdate.exe PID 3460 set thread context of 5064 3460 javaupdate.exe javaupdate.exe PID 2756 set thread context of 3972 2756 javaupdate.exe javaupdate.exe PID 3972 set thread context of 1132 3972 javaupdate.exe javaupdate.exe PID 1692 set thread context of 2916 1692 javaupdate.exe javaupdate.exe PID 2916 set thread context of 4852 2916 javaupdate.exe javaupdate.exe PID 5084 set thread context of 5036 5084 javaupdate.exe javaupdate.exe PID 5036 set thread context of 1380 5036 javaupdate.exe javaupdate.exe PID 568 set thread context of 5116 568 javaupdate.exe javaupdate.exe PID 5116 set thread context of 4880 5116 javaupdate.exe javaupdate.exe PID 3412 set thread context of 212 3412 javaupdate.exe javaupdate.exe PID 212 set thread context of 1496 212 javaupdate.exe javaupdate.exe PID 4076 set thread context of 8 4076 javaupdate.exe javaupdate.exe PID 8 set thread context of 1200 8 javaupdate.exe javaupdate.exe PID 4252 set thread context of 5008 4252 javaupdate.exe javaupdate.exe PID 5008 set thread context of 2948 5008 javaupdate.exe javaupdate.exe PID 2964 set thread context of 3652 2964 javaupdate.exe javaupdate.exe PID 3652 set thread context of 4296 3652 javaupdate.exe javaupdate.exe PID 1560 set thread context of 3212 1560 javaupdate.exe javaupdate.exe PID 3212 set thread context of 1240 3212 javaupdate.exe javaupdate.exe PID 4168 set thread context of 896 4168 javaupdate.exe javaupdate.exe PID 896 set thread context of 2144 896 javaupdate.exe javaupdate.exe PID 492 set thread context of 4728 492 javaupdate.exe javaupdate.exe PID 4728 set thread context of 2164 4728 javaupdate.exe javaupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeSecurityPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeSystemtimePrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeBackupPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeRestorePrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeShutdownPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeDebugPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeUndockPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeManageVolumePrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeImpersonatePrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: 33 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: 34 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: 35 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: 36 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2396 javaupdate.exe Token: SeSecurityPrivilege 2396 javaupdate.exe Token: SeTakeOwnershipPrivilege 2396 javaupdate.exe Token: SeLoadDriverPrivilege 2396 javaupdate.exe Token: SeSystemProfilePrivilege 2396 javaupdate.exe Token: SeSystemtimePrivilege 2396 javaupdate.exe Token: SeProfSingleProcessPrivilege 2396 javaupdate.exe Token: SeIncBasePriorityPrivilege 2396 javaupdate.exe Token: SeCreatePagefilePrivilege 2396 javaupdate.exe Token: SeBackupPrivilege 2396 javaupdate.exe Token: SeRestorePrivilege 2396 javaupdate.exe Token: SeShutdownPrivilege 2396 javaupdate.exe Token: SeDebugPrivilege 2396 javaupdate.exe Token: SeSystemEnvironmentPrivilege 2396 javaupdate.exe Token: SeChangeNotifyPrivilege 2396 javaupdate.exe Token: SeRemoteShutdownPrivilege 2396 javaupdate.exe Token: SeUndockPrivilege 2396 javaupdate.exe Token: SeManageVolumePrivilege 2396 javaupdate.exe Token: SeImpersonatePrivilege 2396 javaupdate.exe Token: SeCreateGlobalPrivilege 2396 javaupdate.exe Token: 33 2396 javaupdate.exe Token: 34 2396 javaupdate.exe Token: 35 2396 javaupdate.exe Token: 36 2396 javaupdate.exe Token: SeIncreaseQuotaPrivilege 3100 javaupdate.exe Token: SeSecurityPrivilege 3100 javaupdate.exe Token: SeTakeOwnershipPrivilege 3100 javaupdate.exe Token: SeLoadDriverPrivilege 3100 javaupdate.exe Token: SeSystemProfilePrivilege 3100 javaupdate.exe Token: SeSystemtimePrivilege 3100 javaupdate.exe Token: SeProfSingleProcessPrivilege 3100 javaupdate.exe Token: SeIncBasePriorityPrivilege 3100 javaupdate.exe Token: SeCreatePagefilePrivilege 3100 javaupdate.exe Token: SeBackupPrivilege 3100 javaupdate.exe Token: SeRestorePrivilege 3100 javaupdate.exe Token: SeShutdownPrivilege 3100 javaupdate.exe Token: SeDebugPrivilege 3100 javaupdate.exe Token: SeSystemEnvironmentPrivilege 3100 javaupdate.exe Token: SeChangeNotifyPrivilege 3100 javaupdate.exe Token: SeRemoteShutdownPrivilege 3100 javaupdate.exe -
Suspicious use of SetWindowsHookEx 48 IoCs
Processes:
1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exepid process 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 4588 javaupdate.exe 4572 javaupdate.exe 4652 javaupdate.exe 4736 javaupdate.exe 4752 javaupdate.exe 1040 javaupdate.exe 2648 javaupdate.exe 3900 javaupdate.exe 3164 javaupdate.exe 1492 javaupdate.exe 4428 javaupdate.exe 4200 javaupdate.exe 3036 javaupdate.exe 5060 javaupdate.exe 4352 javaupdate.exe 4508 javaupdate.exe 5036 javaupdate.exe 696 javaupdate.exe 3568 javaupdate.exe 3948 javaupdate.exe 4976 javaupdate.exe 2180 javaupdate.exe 4428 javaupdate.exe 3460 javaupdate.exe 2756 javaupdate.exe 3972 javaupdate.exe 1692 javaupdate.exe 2916 javaupdate.exe 5084 javaupdate.exe 5036 javaupdate.exe 568 javaupdate.exe 5116 javaupdate.exe 3412 javaupdate.exe 212 javaupdate.exe 4076 javaupdate.exe 8 javaupdate.exe 4252 javaupdate.exe 5008 javaupdate.exe 2964 javaupdate.exe 3652 javaupdate.exe 1560 javaupdate.exe 3212 javaupdate.exe 4168 javaupdate.exe 896 javaupdate.exe 492 javaupdate.exe 4728 javaupdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.execmd.exejavaupdate.exejavaupdate.exejavaupdate.execmd.exejavaupdate.exedescription pid process target process PID 4836 wrote to memory of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 4836 wrote to memory of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 4836 wrote to memory of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 4836 wrote to memory of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 4836 wrote to memory of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 4836 wrote to memory of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 4836 wrote to memory of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 4836 wrote to memory of 1808 4836 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 1808 wrote to memory of 2284 1808 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe PID 2284 wrote to memory of 3872 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe cmd.exe PID 2284 wrote to memory of 3872 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe cmd.exe PID 2284 wrote to memory of 3872 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe cmd.exe PID 2284 wrote to memory of 4588 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe javaupdate.exe PID 2284 wrote to memory of 4588 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe javaupdate.exe PID 2284 wrote to memory of 4588 2284 1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe javaupdate.exe PID 3872 wrote to memory of 2936 3872 cmd.exe attrib.exe PID 3872 wrote to memory of 2936 3872 cmd.exe attrib.exe PID 3872 wrote to memory of 2936 3872 cmd.exe attrib.exe PID 4588 wrote to memory of 4572 4588 javaupdate.exe javaupdate.exe PID 4588 wrote to memory of 4572 4588 javaupdate.exe javaupdate.exe PID 4588 wrote to memory of 4572 4588 javaupdate.exe javaupdate.exe PID 4588 wrote to memory of 4572 4588 javaupdate.exe javaupdate.exe PID 4588 wrote to memory of 4572 4588 javaupdate.exe javaupdate.exe PID 4588 wrote to memory of 4572 4588 javaupdate.exe javaupdate.exe PID 4588 wrote to memory of 4572 4588 javaupdate.exe javaupdate.exe PID 4588 wrote to memory of 4572 4588 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 4572 wrote to memory of 2396 4572 javaupdate.exe javaupdate.exe PID 2396 wrote to memory of 5108 2396 javaupdate.exe cmd.exe PID 2396 wrote to memory of 5108 2396 javaupdate.exe cmd.exe PID 2396 wrote to memory of 5108 2396 javaupdate.exe cmd.exe PID 2396 wrote to memory of 4652 2396 javaupdate.exe javaupdate.exe PID 2396 wrote to memory of 4652 2396 javaupdate.exe javaupdate.exe PID 2396 wrote to memory of 4652 2396 javaupdate.exe javaupdate.exe PID 5108 wrote to memory of 1200 5108 cmd.exe attrib.exe PID 5108 wrote to memory of 1200 5108 cmd.exe attrib.exe PID 5108 wrote to memory of 1200 5108 cmd.exe attrib.exe PID 4652 wrote to memory of 4736 4652 javaupdate.exe javaupdate.exe PID 4652 wrote to memory of 4736 4652 javaupdate.exe javaupdate.exe -
Views/modifies file attributes 1 TTPs 24 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 544 attrib.exe 1600 attrib.exe 928 attrib.exe 1992 attrib.exe 2568 attrib.exe 2936 attrib.exe 552 attrib.exe 5100 attrib.exe 1508 attrib.exe 4116 attrib.exe 572 attrib.exe 1200 attrib.exe 3112 attrib.exe 2068 attrib.exe 2084 attrib.exe 4056 attrib.exe 3488 attrib.exe 1224 attrib.exe 5020 attrib.exe 1292 attrib.exe 2288 attrib.exe 2780 attrib.exe 4848 attrib.exe 4404 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"8⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"17⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"20⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"23⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h26⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"26⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h29⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"29⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h32⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"32⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "34⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h35⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"34⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h38⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"38⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h41⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"40⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"41⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h44⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"44⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"45⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "46⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h47⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"46⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"47⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"48⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h50⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"50⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"51⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h53⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"52⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"53⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"54⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h56⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"56⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"57⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h59⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"58⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"59⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"60⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h62⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"62⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"63⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h65⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"64⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"65⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"66⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "67⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h68⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"67⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"68⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"69⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h71⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"70⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"71⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"72⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h74⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\javaupdate.exe"C:\Windows\system32\javaupdate.exe"73⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
101B
MD52e75c7cc780d62732d8604c89bb588ff
SHA1cd1f73d53de7a49e4e908ce76e2fd065e365a70d
SHA256554a5f6f4b347c7df6c8497369210c374b4a94ace876c24232c99cf942f17041
SHA512e8f6baf70b8456b14f493f903047ef3a5c609425c2f3ab007fdc319ef6395e3c6934a82a854ae511bcaa328755d9907c3467335c693c2a814b99014f0b9bf965
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
51B
MD5ed4167b5a442567df6e88fdcbdb4c3df
SHA1df34a493efcdf2db9dc6639a8c6cc498e1d5d2fb
SHA25649779c02e089ff017e4dd4d4afb73b3af142b7abe19b99059e04a81f8c81a5fb
SHA5129888d850e8c902e82abbd62313f21cc46b6a11719a526f6a893deb9f90b13e2e532262a03fd1e53041e0728b4ca637d1fe904f992272a9433938cafbc877ddad
-
C:\Windows\SysWOW64\javaupdate.exeFilesize
904KB
MD51cd7f3d1789fce8865ceb8a1efef4c91
SHA1a990cddb8534faab48e2f97ee5b699bd5311623c
SHA256122a4b018095b213e356097ddd724c2708fdcddd4ff89d72e73af150f3b5188a
SHA512e1da51d7c204658d922460d0f7c750b2f0a6768c7f3071ed7ce908303d775cacf63f0132f8aee04fca52057b7b4ed231e017e3eeb1eace8c9605f521e125538f
-
memory/556-106-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/956-126-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/1040-80-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/1492-120-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/1808-4-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/1808-2-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/1808-52-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/1936-138-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/1936-143-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2284-7-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2284-9-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2284-10-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2284-29-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2284-8-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2396-40-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/2396-47-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/3100-60-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/3100-67-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/3900-100-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/4572-41-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/4736-61-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/5024-86-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/5060-158-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB