API tools faq
paste
Advertisement
spamreports

server.jpg.exe

spamreports
Nov 20th, 2019
224
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.19 KB | None | 0 0
raw download clone embed print report
  1. [[ https://cdn.discordapp[.]com/attachments/588286158258307072/610861960275427372/server.jpg.exe ]]
  2. Defense Evasion
  3.  
  4. Discovery
  5. Executes dropped EXE
  6. server.jpg.exe
  7. server.jpg.exe
  8. server.jpg.exe
  9. Drops file in system dir
  10. DllHost.exe
  11. Reported IOC
  12. DllHost.exe
  13. C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT File opened for modification
  14. Suspicious use of AdjustPrivilegeToken
  15. server.jpg.exe
  16. Reported IOC
  17. server.jpg.exe
  18. Token: SeDebugPrivilege
  19. Modifies Internet Explorer settings
  20. iexplore.exe
  21. IEXPLORE.EXE
  22. Matched TTPs
  23. Modify Registry
  24. Reported IOC
  25. iexplore.exe
  26. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" Set value (int)
  27. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F85D4E1-0B6D-11EA-9335-F69B66539C0F} = "0" Set value (int)
  28. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Set value (str)
  29. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" Set value (str)
  30. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 Set value (data)
  31. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" Set value (int)
  32. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b0723a3e7a9fd501 Set value (data)
  33. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" Set value (int)
  34. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000c991f2185dda57fd4a76d5c785c3a9e596bda73dcc9424d2dbf0b395762dc009000000000e800000000200002000000077acd5d95ee23ed6ab5f31f40e0593fe93e7ef7f8105181df0bb70d5686ea52820000000b53713777db1dd04cb7027e7903e92fe8da4ce744b069b433ab1314dadb64bb640000000fbbd2725def4a781c94148b8c33e3acaa0bd85f8211bcf6b5363024d902b70416d2e391f883451f1d084d2413e44f021e8c0ce6cbe02747af87eb06acc43c42c Set value (data)
  35. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604133497a9fd501 Set value (data)
  36. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000706cab7bdf67f7f4f3cb9eae672207e042d8b723c3a6a58bf4f3c0540489fd80000000000e8000000002000020000000b66f82c6c15a6d76afe2b47257d0e5bb085834789ef9b3a5487e6561392595cf900000001b4a9babcaba3163033c29ecb539e2287ff318f049e4e294a9c816917e728230ed7fb730552134fbc16501a8b38042c828eb6352175b98cd8ca0568a1e1d88b8eb64cb5c3ba36b9469d4b1df333627bb3b8ca64c7ee5f5f66d0fefecf25e9434d02b8d6aca13b05d897e4dce44823a33c9f8e198d8c90e88a93335883832fe5079d46475d7ec11c0d3ea5db8591cc71340000000ea58ef9840502b10679da10397dc80877a42be5d81deefdd7c9799955bffe89a0c300962dfd7fa9071081f2df9c59ef7abd8fe5faa1887d148151a5e2b8a37bf Set value (data)
  37. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" Set value (str)
  38. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "281002501" Set value (int)
  39. Reported IOC
  40. IEXPLORE.EXE
  41. \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Set value (str)
  42. Suspicious use of FindShellTrayWindow
  43. iexplore.exe
  44. DllHost.exe
  45. Uses Volume Shadow Copy WMI provider
  46. iexplore.exe
  47. Reported IOC
  48. iexplore.exe
  49. \Registry\Machine\Software\Classes\CLSID\{890CB943-D715-401B-98B1-CF82DCF36D7C}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  50. Uses Volume Shadow Copy Service COM API
  51. iexplore.exe
  52. Reported IOC
  53. iexplore.exe
  54. \Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  55. Suspicious use of WriteProcessMemory
  56. iexplore.exe
  57. server.jpg.exe
  58. server.jpg.exe
  59. Reported IOC
  60. iexplore.exe
  61. PID 876 wrote to memory of 1840
  62. PID 876 wrote to memory of 1284
  63. Reported IOC
  64. server.jpg.exe
  65. PID 1284 wrote to memory of 1188
  66. Reported IOC
  67. server.jpg.exe
  68. PID 1188 wrote to memory of 2240
  69. Suspicious use of SetWindowsHookEx
  70. iexplore.exe
  71. IEXPLORE.EXE
  72. Modifies system certificate store
  73. IEXPLORE.EXE
  74. Matched TTPs
  75. Install Root Certificate
  76. Modify Registry
  77. Reported IOC
  78. IEXPLORE.EXE
  79. \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 Set value (data)
  80. Uses Task Scheduler COM API
  81. iexplore.exe
  82. Matched TTPs
  83. Query Registry
  84. Reported IOC
  85. iexplore.exe
  86. \Registry\Machine\Software\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} Key opened
  87. Suspicious behavior: EnumeratesProcesses
  88. server.jpg.exe
  89. C:\Program Files\Internet Explorer\iexplore.exe
  90. "C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/588286158258307072/610861960275427372/server.jpg.exe
  91. PID: 876
  92. C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N88JCJXC\server.jpg.exe
  93. "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N88JCJXC\server.jpg.exe"
  94. PID: 1284
  95. C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N88JCJXC\server.jpg.exe
  96. "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N88JCJXC\server.jpg.exe"
  97. PID: 1188
  98. C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N88JCJXC\server.jpg.exe
  99. "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N88JCJXC\server.jpg.exe"
  100. PID: 2240
  101. C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  102. "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:275457 /prefetch:2
  103. PID: 1840
  104. DllHost.exe
  105. C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
  106. PID: 2268
  107. 5.76.196.255:96
  108. server.jpg.exe
  109. GET
  110. 200
  111. 80.239.205.41:80
  112. http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt
  113. 162.159.130.233:443
  114. cdn.discordapp.com
  115. 204.79.197.200:443
  116. ieonline.microsoft.com
  117. GET
  118. 200
  119. 151.139.128.14:80
  120. http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
  121. 162.159.130.233:443
  122. cdn.discordapp.com
  123. IEXPLORE.EXE
  124. GET
  125. 200
  126. 151.139.128.14:80
  127. http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
  128. 5.76.196.255:96
  129. server.jpg.exe
  130. 5.76.196.255:96
  131. server.jpg.exe
  132. 162.159.130.233:443
  133. cdn.discordapp.com
  134. IEXPLORE.EXE
  135. GET
  136. 200
  137. 72.21.91.29:80
  138. http://crl.verisign.com/pca3.crl
  139. GET
  140. 304
  141. 93.184.220.29:80
  142. http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
  143. iexplore.exe
  144. Bytes Sent: 1.1kB Bytes Received: 2.6kB Packets Sent: 7 Packets Received: 5
  145. HTTP Request
  146. Cache-Control: max-age = 150794
  147. Connection: Keep-Alive
  148. Accept: */*
  149. If-Modified-Since: Fri, 18 Oct 2019 05:01:50 GMT
  150. If-None-Match: "5da9473e-5e3"
  151. User-Agent: Microsoft-CryptoAPI/6.1
  152. HTTP Response
  153. Server: ECS (amb/6BA2)
  154. Content-Type: application/ocsp-response
  155. Last-Modified: Wed, 20 Nov 2019 06:00:46 GMT
  156. Date: Wed, 20 Nov 2019 07:13:14 GMT
  157. Etag: "5dd4d68e-5e3"
  158. Expires: Fri, 22 Nov 2019 06:58:41 GMT
  159. X-Cache: HIT
  160. Content-Length: 1507
  161. Accept-Ranges: bytes
  162. Cache-Control: max-age=171927
  163. HTTP Request
  164. Accept: */*
  165. If-Modified-Since: Wed, 20 Nov 2019 06:00:46 GMT
  166. If-None-Match: "5dd4d68e-5e3"
  167. User-Agent: Microsoft-CryptoAPI/6.1
  168. Cache-Control: max-age = 171927
  169. Connection: Keep-Alive
  170. HTTP Response
  171. Cache-Control: max-age=171927
  172. Date: Wed, 20 Nov 2019 07:13:14 GMT
  173. Etag: "5dd4d68e-5e3"
  174. Expires: Fri, 22 Nov 2019 06:58:41 GMT
  175. Last-Modified: Wed, 20 Nov 2019 06:00:46 GMT
  176. Server: ECS (amb/6BA2)
  177. X-Cache: HIT
  178. Accept-Ranges: bytes
  179. 162.159.130.233:443
  180. cdn.discordapp.com
  181. 204.79.197.200:443
  182. ieonline.microsoft.com
  183. GET
  184. 200
  185. 13.107.4.50:80
  186. http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/02FAF3E291435468607857694DF5E45B68851868.crt
  187. 5.76.196.255:96
  188. server.jpg.exe
  189. GET
  190. 200
  191. 151.139.128.14:80
  192. http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D
  193. 162.159.130.233:443
  194. cdn.discordapp.com
  195. 162.159.130.233:443
  196. cdn.discordapp.com
  197. 5.76.196.255:96
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!