darkcomet | 122a4b018095b213e356097ddd724c2708fdcddd4ff89d72e73af150f3b5188a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Size

904KB
MD5

1cd7f3d1789fce8865ceb8a1efef4c91
SHA1

a990cddb8534faab48e2f97ee5b699bd5311623c
SHA256

122a4b018095b213e356097ddd724c2708fdcddd4ff89d72e73af150f3b5188a
SHA512

e1da51d7c204658d922460d0f7c750b2f0a6768c7f3071ed7ce908303d775cacf63f0132f8aee04fca52057b7b4ed231e017e3eeb1eace8c9605f521e125538f
SSDEEP

12288:y3Or9fnnE3OtPtNOzifk58f0LHj5iL3wBt6PSPRfsV0eQWdFfefL432hjvB7eb25:3aetlT86f07jUMBtPRjmeTKCjvde0

Score

10^/10

darkcomet bootkit evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

javaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe"	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe

Sets file to hidden 1 TTPs 24 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
1200	attrib.exe
5020	attrib.exe
4848	attrib.exe
2568	attrib.exe
1224	attrib.exe
2936	attrib.exe
544	attrib.exe
552	attrib.exe
2780	attrib.exe
5100	attrib.exe
3488	attrib.exe
3112	attrib.exe
1292	attrib.exe
1600	attrib.exe
2288	attrib.exe
4056	attrib.exe
572	attrib.exe
2068	attrib.exe
2084	attrib.exe
928	attrib.exe
1992	attrib.exe
4404	attrib.exe
1508	attrib.exe
4116	attrib.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	javaupdate.exe

Executes dropped EXE 64 IoCs

Processes:

javaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe

pid	process
4588	javaupdate.exe
4572	javaupdate.exe
2396	javaupdate.exe
4652	javaupdate.exe
4736	javaupdate.exe
3100	javaupdate.exe
4752	javaupdate.exe
1040	javaupdate.exe
5024	javaupdate.exe
2648	javaupdate.exe
3900	javaupdate.exe
556	javaupdate.exe
3164	javaupdate.exe
1492	javaupdate.exe
956	javaupdate.exe
4428	javaupdate.exe
4200	javaupdate.exe
1936	javaupdate.exe
3036	javaupdate.exe
5060	javaupdate.exe
2868	javaupdate.exe
4352	javaupdate.exe
4508	javaupdate.exe
4968	javaupdate.exe
5036	javaupdate.exe
696	javaupdate.exe
4376	javaupdate.exe
3568	javaupdate.exe
3948	javaupdate.exe
4884	javaupdate.exe
4976	javaupdate.exe
2180	javaupdate.exe
3816	javaupdate.exe
4428	javaupdate.exe
3460	javaupdate.exe
5064	javaupdate.exe
2756	javaupdate.exe
3972	javaupdate.exe
1132	javaupdate.exe
1692	javaupdate.exe
2916	javaupdate.exe
4852	javaupdate.exe
5084	javaupdate.exe
5036	javaupdate.exe
1380	javaupdate.exe
568	javaupdate.exe
5116	javaupdate.exe
4880	javaupdate.exe
3412	javaupdate.exe
212	javaupdate.exe
1496	javaupdate.exe
4076	javaupdate.exe
8	javaupdate.exe
1200	javaupdate.exe
4252	javaupdate.exe
5008	javaupdate.exe
2948	javaupdate.exe
2964	javaupdate.exe
3652	javaupdate.exe
4296	javaupdate.exe
1560	javaupdate.exe
3212	javaupdate.exe
1240	javaupdate.exe
4168	javaupdate.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe

Writes to the Master Boot Record (MBR) 1 TTPs 24 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

description	ioc	process
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe

Drops file in System32 directory 64 IoCs

Processes:

javaupdate.exejavaupdate.exeattrib.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exeattrib.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exejavaupdate.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe

Suspicious use of SetThreadContext 48 IoCs

Processes:

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe

description	pid	process	target process
PID 4836 set thread context of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 set thread context of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 4588 set thread context of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4572 set thread context of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4652 set thread context of 4736	4652	javaupdate.exe	javaupdate.exe
PID 4736 set thread context of 3100	4736	javaupdate.exe	javaupdate.exe
PID 4752 set thread context of 1040	4752	javaupdate.exe	javaupdate.exe
PID 1040 set thread context of 5024	1040	javaupdate.exe	javaupdate.exe
PID 2648 set thread context of 3900	2648	javaupdate.exe	javaupdate.exe
PID 3900 set thread context of 556	3900	javaupdate.exe	javaupdate.exe
PID 3164 set thread context of 1492	3164	javaupdate.exe	javaupdate.exe
PID 1492 set thread context of 956	1492	javaupdate.exe	javaupdate.exe
PID 4428 set thread context of 4200	4428	javaupdate.exe	javaupdate.exe
PID 4200 set thread context of 1936	4200	javaupdate.exe	javaupdate.exe
PID 3036 set thread context of 5060	3036	javaupdate.exe	javaupdate.exe
PID 5060 set thread context of 2868	5060	javaupdate.exe	javaupdate.exe
PID 4352 set thread context of 4508	4352	javaupdate.exe	javaupdate.exe
PID 4508 set thread context of 4968	4508	javaupdate.exe	javaupdate.exe
PID 5036 set thread context of 696	5036	javaupdate.exe	javaupdate.exe
PID 696 set thread context of 4376	696	javaupdate.exe	javaupdate.exe
PID 3568 set thread context of 3948	3568	javaupdate.exe	javaupdate.exe
PID 3948 set thread context of 4884	3948	javaupdate.exe	javaupdate.exe
PID 4976 set thread context of 2180	4976	javaupdate.exe	javaupdate.exe
PID 2180 set thread context of 3816	2180	javaupdate.exe	javaupdate.exe
PID 4428 set thread context of 3460	4428	javaupdate.exe	javaupdate.exe
PID 3460 set thread context of 5064	3460	javaupdate.exe	javaupdate.exe
PID 2756 set thread context of 3972	2756	javaupdate.exe	javaupdate.exe
PID 3972 set thread context of 1132	3972	javaupdate.exe	javaupdate.exe
PID 1692 set thread context of 2916	1692	javaupdate.exe	javaupdate.exe
PID 2916 set thread context of 4852	2916	javaupdate.exe	javaupdate.exe
PID 5084 set thread context of 5036	5084	javaupdate.exe	javaupdate.exe
PID 5036 set thread context of 1380	5036	javaupdate.exe	javaupdate.exe
PID 568 set thread context of 5116	568	javaupdate.exe	javaupdate.exe
PID 5116 set thread context of 4880	5116	javaupdate.exe	javaupdate.exe
PID 3412 set thread context of 212	3412	javaupdate.exe	javaupdate.exe
PID 212 set thread context of 1496	212	javaupdate.exe	javaupdate.exe
PID 4076 set thread context of 8	4076	javaupdate.exe	javaupdate.exe
PID 8 set thread context of 1200	8	javaupdate.exe	javaupdate.exe
PID 4252 set thread context of 5008	4252	javaupdate.exe	javaupdate.exe
PID 5008 set thread context of 2948	5008	javaupdate.exe	javaupdate.exe
PID 2964 set thread context of 3652	2964	javaupdate.exe	javaupdate.exe
PID 3652 set thread context of 4296	3652	javaupdate.exe	javaupdate.exe
PID 1560 set thread context of 3212	1560	javaupdate.exe	javaupdate.exe
PID 3212 set thread context of 1240	3212	javaupdate.exe	javaupdate.exe
PID 4168 set thread context of 896	4168	javaupdate.exe	javaupdate.exe
PID 896 set thread context of 2144	896	javaupdate.exe	javaupdate.exe
PID 492 set thread context of 4728	492	javaupdate.exe	javaupdate.exe
PID 4728 set thread context of 2164	4728	javaupdate.exe	javaupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeSecurityPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeBackupPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeRestorePrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeShutdownPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeDebugPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeUndockPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: 33	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: 34	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: 35	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: 36	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2396	javaupdate.exe
Token: SeSecurityPrivilege	2396	javaupdate.exe
Token: SeTakeOwnershipPrivilege	2396	javaupdate.exe
Token: SeLoadDriverPrivilege	2396	javaupdate.exe
Token: SeSystemProfilePrivilege	2396	javaupdate.exe
Token: SeSystemtimePrivilege	2396	javaupdate.exe
Token: SeProfSingleProcessPrivilege	2396	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2396	javaupdate.exe
Token: SeCreatePagefilePrivilege	2396	javaupdate.exe
Token: SeBackupPrivilege	2396	javaupdate.exe
Token: SeRestorePrivilege	2396	javaupdate.exe
Token: SeShutdownPrivilege	2396	javaupdate.exe
Token: SeDebugPrivilege	2396	javaupdate.exe
Token: SeSystemEnvironmentPrivilege	2396	javaupdate.exe
Token: SeChangeNotifyPrivilege	2396	javaupdate.exe
Token: SeRemoteShutdownPrivilege	2396	javaupdate.exe
Token: SeUndockPrivilege	2396	javaupdate.exe
Token: SeManageVolumePrivilege	2396	javaupdate.exe
Token: SeImpersonatePrivilege	2396	javaupdate.exe
Token: SeCreateGlobalPrivilege	2396	javaupdate.exe
Token: 33	2396	javaupdate.exe
Token: 34	2396	javaupdate.exe
Token: 35	2396	javaupdate.exe
Token: 36	2396	javaupdate.exe
Token: SeIncreaseQuotaPrivilege	3100	javaupdate.exe
Token: SeSecurityPrivilege	3100	javaupdate.exe
Token: SeTakeOwnershipPrivilege	3100	javaupdate.exe
Token: SeLoadDriverPrivilege	3100	javaupdate.exe
Token: SeSystemProfilePrivilege	3100	javaupdate.exe
Token: SeSystemtimePrivilege	3100	javaupdate.exe
Token: SeProfSingleProcessPrivilege	3100	javaupdate.exe
Token: SeIncBasePriorityPrivilege	3100	javaupdate.exe
Token: SeCreatePagefilePrivilege	3100	javaupdate.exe
Token: SeBackupPrivilege	3100	javaupdate.exe
Token: SeRestorePrivilege	3100	javaupdate.exe
Token: SeShutdownPrivilege	3100	javaupdate.exe
Token: SeDebugPrivilege	3100	javaupdate.exe
Token: SeSystemEnvironmentPrivilege	3100	javaupdate.exe
Token: SeChangeNotifyPrivilege	3100	javaupdate.exe
Token: SeRemoteShutdownPrivilege	3100	javaupdate.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

pid	process
4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
4588	javaupdate.exe
4572	javaupdate.exe
4652	javaupdate.exe
4736	javaupdate.exe
4752	javaupdate.exe
1040	javaupdate.exe
2648	javaupdate.exe
3900	javaupdate.exe
3164	javaupdate.exe
1492	javaupdate.exe
4428	javaupdate.exe
4200	javaupdate.exe
3036	javaupdate.exe
5060	javaupdate.exe
4352	javaupdate.exe
4508	javaupdate.exe
5036	javaupdate.exe
696	javaupdate.exe
3568	javaupdate.exe
3948	javaupdate.exe
4976	javaupdate.exe
2180	javaupdate.exe
4428	javaupdate.exe
3460	javaupdate.exe
2756	javaupdate.exe
3972	javaupdate.exe
1692	javaupdate.exe
2916	javaupdate.exe
5084	javaupdate.exe
5036	javaupdate.exe
568	javaupdate.exe
5116	javaupdate.exe
3412	javaupdate.exe
212	javaupdate.exe
4076	javaupdate.exe
8	javaupdate.exe
4252	javaupdate.exe
5008	javaupdate.exe
2964	javaupdate.exe
3652	javaupdate.exe
1560	javaupdate.exe
3212	javaupdate.exe
4168	javaupdate.exe
896	javaupdate.exe
492	javaupdate.exe
4728	javaupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.execmd.exejavaupdate.exejavaupdate.exejavaupdate.execmd.exejavaupdate.exe

description	pid	process	target process
PID 4836 wrote to memory of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 4836 wrote to memory of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 4836 wrote to memory of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 4836 wrote to memory of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 4836 wrote to memory of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 4836 wrote to memory of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 4836 wrote to memory of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 4836 wrote to memory of 1808	4836	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1808 wrote to memory of 2284	1808	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2284 wrote to memory of 3872	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 3872	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 3872	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 4588	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 2284 wrote to memory of 4588	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 2284 wrote to memory of 4588	2284	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 3872 wrote to memory of 2936	3872	cmd.exe	attrib.exe
PID 3872 wrote to memory of 2936	3872	cmd.exe	attrib.exe
PID 3872 wrote to memory of 2936	3872	cmd.exe	attrib.exe
PID 4588 wrote to memory of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4588 wrote to memory of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4588 wrote to memory of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4588 wrote to memory of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4588 wrote to memory of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4588 wrote to memory of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4588 wrote to memory of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4588 wrote to memory of 4572	4588	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 4572 wrote to memory of 2396	4572	javaupdate.exe	javaupdate.exe
PID 2396 wrote to memory of 5108	2396	javaupdate.exe	cmd.exe
PID 2396 wrote to memory of 5108	2396	javaupdate.exe	cmd.exe
PID 2396 wrote to memory of 5108	2396	javaupdate.exe	cmd.exe
PID 2396 wrote to memory of 4652	2396	javaupdate.exe	javaupdate.exe
PID 2396 wrote to memory of 4652	2396	javaupdate.exe	javaupdate.exe
PID 2396 wrote to memory of 4652	2396	javaupdate.exe	javaupdate.exe
PID 5108 wrote to memory of 1200	5108	cmd.exe	attrib.exe
PID 5108 wrote to memory of 1200	5108	cmd.exe	attrib.exe
PID 5108 wrote to memory of 1200	5108	cmd.exe	attrib.exe
PID 4652 wrote to memory of 4736	4652	javaupdate.exe	javaupdate.exe
PID 4652 wrote to memory of 4736	4652	javaupdate.exe	javaupdate.exe

Views/modifies file attributes 1 TTPs 24 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
544	attrib.exe
1600	attrib.exe
928	attrib.exe
1992	attrib.exe
2568	attrib.exe
2936	attrib.exe
552	attrib.exe
5100	attrib.exe
1508	attrib.exe
4116	attrib.exe
572	attrib.exe
1200	attrib.exe
3112	attrib.exe
2068	attrib.exe
2084	attrib.exe
4056	attrib.exe
3488	attrib.exe
1224	attrib.exe
5020	attrib.exe
1292	attrib.exe
2288	attrib.exe
2780	attrib.exe
4848	attrib.exe
4404	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2936

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1200

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
8⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
10⤵
PID:4708

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3112

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
13⤵
PID:2456

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:5020

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
16⤵
PID:4728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
17⤵
- Sets file to hidden
- Views/modifies file attributes
PID:544

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
17⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
19⤵
PID:4776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1292

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
20⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
22⤵
PID:3168

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:552

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
23⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
25⤵
PID:2080

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
26⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1600

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
26⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
28⤵
PID:4516

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
29⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2288

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
29⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:696

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
31⤵
PID:1016

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
32⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2068

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
32⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
34⤵
PID:3928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
35⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2780

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
34⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
37⤵
PID:1288

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
38⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2084

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
38⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
40⤵
PID:4744

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
41⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4056

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
40⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2756

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
41⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
43⤵
PID:1800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
44⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5100

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
44⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
45⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
46⤵
PID:3232

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
47⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3488

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
46⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
47⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
48⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
49⤵
PID:2788

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
50⤵
- Sets file to hidden
- Views/modifies file attributes
PID:928

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:568

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
50⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
51⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
52⤵
PID:932

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
53⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4848

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
52⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
53⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
54⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
55⤵
PID:4780

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
56⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1992

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
56⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
57⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
58⤵
PID:3700

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
59⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2568

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
58⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
59⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
60⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
61⤵
PID:2952

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
62⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4404

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
62⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
63⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
64⤵
PID:4912

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
65⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1508

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
64⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
65⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
66⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
67⤵
PID:5084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
68⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4116

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
67⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
68⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:896

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
69⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
70⤵
PID:1384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
71⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:572

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
70⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:492

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
71⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
72⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
73⤵
PID:1668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
74⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1224

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
73⤵
PID:2652

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
101B

MD5
2e75c7cc780d62732d8604c89bb588ff

SHA1
cd1f73d53de7a49e4e908ce76e2fd065e365a70d

SHA256
554a5f6f4b347c7df6c8497369210c374b4a94ace876c24232c99cf942f17041

SHA512
e8f6baf70b8456b14f493f903047ef3a5c609425c2f3ab007fdc319ef6395e3c6934a82a854ae511bcaa328755d9907c3467335c693c2a814b99014f0b9bf965

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
51B

MD5
ed4167b5a442567df6e88fdcbdb4c3df

SHA1
df34a493efcdf2db9dc6639a8c6cc498e1d5d2fb

SHA256
49779c02e089ff017e4dd4d4afb73b3af142b7abe19b99059e04a81f8c81a5fb

SHA512
9888d850e8c902e82abbd62313f21cc46b6a11719a526f6a893deb9f90b13e2e532262a03fd1e53041e0728b4ca637d1fe904f992272a9433938cafbc877ddad

Download Submit
C:\Windows\SysWOW64\javaupdate.exe
Filesize
904KB

MD5
1cd7f3d1789fce8865ceb8a1efef4c91

SHA1
a990cddb8534faab48e2f97ee5b699bd5311623c

SHA256
122a4b018095b213e356097ddd724c2708fdcddd4ff89d72e73af150f3b5188a

SHA512
e1da51d7c204658d922460d0f7c750b2f0a6768c7f3071ed7ce908303d775cacf63f0132f8aee04fca52057b7b4ed231e017e3eeb1eace8c9605f521e125538f

Download Submit
memory/556-106-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/956-126-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1040-80-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1492-120-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1808-4-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1808-2-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1808-52-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1936-138-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1936-143-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2284-7-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2284-9-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2284-10-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2284-29-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2284-8-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2396-40-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2396-47-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3100-60-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3100-67-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3900-100-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4572-41-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4736-61-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/5024-86-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5060-158-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads