Malware Analysis Report

2024-10-23 15:30

Sample ID 240501-sqpn1sca62
Target 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118
SHA256 34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e
Tags
trickbot tot346 banker evasion trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e

Threat Level: Known bad

The file 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

trickbot tot346 banker evasion trojan persistence

Trickbot

Trickbot x86 loader

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-01 15:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 15:19

Reported

2024-05-01 15:22

Platform

win7-20240419-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe"

Signatures

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stops running service(s)

evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe
PID 2392 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe
PID 2392 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe
PID 2392 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe
PID 3032 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3032 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3032 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3032 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2592 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1940 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1940 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1940 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2696 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe

C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {7C77231E-F896-4F4B-8592-C25C00479160} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe

C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.myexternalip.com udp
US 34.117.118.44:443 www.myexternalip.com tcp

Files

memory/2392-16-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-17-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2392-15-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-21-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2392-20-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-19-0x0000000000400000-0x0000000000487000-memory.dmp

memory/2392-14-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-13-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-12-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-11-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-10-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-9-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-8-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-7-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-6-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-5-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-4-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-3-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-2-0x0000000000270000-0x0000000000271000-memory.dmp

\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe

MD5 0c22a5b5e552e17e9123d6d3a001604d
SHA1 3fa7b3d0173b2b0830cd8492dcc4326b0adfb3e6
SHA256 34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e
SHA512 b2e525893399634a90405f510a309958e5869676f62b57c1ff479164723c58bea94b08abc73e02e974f63f2170eb43cb961f0707218c0fa6e0c32c1e8815c490

memory/2392-34-0x0000000000280000-0x00000000002C0000-memory.dmp

memory/2696-36-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-45-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-44-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-43-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-42-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-41-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-40-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-39-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-38-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-37-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-53-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2696-52-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2696-49-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-48-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-47-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2696-46-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2108-57-0x0000000140000000-0x0000000140039000-memory.dmp

memory/2108-56-0x0000000140000000-0x0000000140039000-memory.dmp

memory/1376-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-69-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-71-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-77-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-81-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-79-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-75-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-73-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1376-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 15:19

Reported

2024-05-01 15:22

Platform

win10v2004-20240419-en

Max time kernel

111s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe"

Signatures

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WSIGE\\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe" C:\Windows\system32\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipecho.net N/A N/A
N/A ipinfo.io N/A N/A
N/A icanhazip.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ident.me N/A N/A
N/A checkip.amazonaws.com N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe
PID 4568 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe
PID 4568 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe
PID 2880 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe

C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 icanhazip.com udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 ident.me udp
US 8.8.8.8:53 www.myexternalip.com udp
US 8.8.8.8:53 checkip.amazonaws.com udp
US 8.8.8.8:53 ipecho.net udp
US 8.8.8.8:53 ipinfo.io udp
EC 181.113.17.230:449 tcp

Files

memory/4568-16-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-17-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/4568-15-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-14-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-13-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-12-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-11-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-10-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-9-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-8-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-7-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-6-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-5-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-4-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-3-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-2-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-21-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/4568-20-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4568-19-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe

MD5 0c22a5b5e552e17e9123d6d3a001604d
SHA1 3fa7b3d0173b2b0830cd8492dcc4326b0adfb3e6
SHA256 34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e
SHA512 b2e525893399634a90405f510a309958e5869676f62b57c1ff479164723c58bea94b08abc73e02e974f63f2170eb43cb961f0707218c0fa6e0c32c1e8815c490

memory/2880-33-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-32-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-31-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-30-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-29-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-38-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-42-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-41-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-47-0x0000000002B90000-0x0000000002BD0000-memory.dmp

memory/2880-46-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-45-0x0000000000400000-0x0000000000487000-memory.dmp

memory/2880-40-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-39-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-37-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-36-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-35-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-34-0x0000000000690000-0x0000000000691000-memory.dmp

memory/2880-48-0x0000000010000000-0x0000000010007000-memory.dmp

memory/4568-53-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/4064-54-0x0000000140000000-0x0000000140039000-memory.dmp

memory/2880-62-0x0000000002160000-0x0000000002161000-memory.dmp

memory/4064-61-0x0000020826450000-0x0000020826451000-memory.dmp

memory/4064-55-0x0000000140000000-0x0000000140039000-memory.dmp

memory/2880-63-0x00000000030D0000-0x000000000318E000-memory.dmp

memory/2880-65-0x0000000002B90000-0x0000000002BD0000-memory.dmp

memory/2880-64-0x0000000003190000-0x0000000003459000-memory.dmp

memory/4064-71-0x0000000140000000-0x0000000140039000-memory.dmp