Malware Analysis Report

2024-10-23 19:35

Sample ID 240504-zqyp9aba6s
Target 147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118
SHA256 92247fc31f92d78870fbb2de0226d1f54ecb04534a04a265bd9b82159543a7ee
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92247fc31f92d78870fbb2de0226d1f54ecb04534a04a265bd9b82159543a7ee

Threat Level: Known bad

The file 147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

Modifies WinLogon for persistence

ModiLoader, DBatLoader

ModiLoader Second Stage

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Adds policy Run key to start application

Deletes itself

Checks BIOS information in registry

Maps connected drives based on registry

Adds Run key to start application

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 20:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 20:55

Reported

2024-05-04 20:58

Platform

win7-20240221-en

Max time kernel

148s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SHELL = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\KB9201616\\KB9201616.exe\"" C:\Windows\SysWOW64\svchost.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\svchost.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KB9201616 = "\"C:\\Users\\Admin\\AppData\\Local\\KB9201616\\KB9201616.exe\"" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KB9201616 = "\"C:\\Users\\Admin\\AppData\\Local\\KB9201616\\KB9201616.exe\"" C:\Windows\SysWOW64\svchost.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\svchost.exe N/A

Disables Task Manager via registry modification

evasion

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KB9201616 = "\"C:\\Users\\Admin\\AppData\\Local\\KB9201616\\KB9201616.exe\"" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\KB9201616 = "\"C:\\Users\\Admin\\AppData\\Local\\KB9201616\\KB9201616.exe\"" C:\Windows\SysWOW64\svchost.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\UseThemes = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "yes" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{01E95A21-0A59-11EF-86DB-FA8378BF1C4A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Enable AutoImageResize = "yes" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 3028 wrote to memory of 1416 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 1416 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 1416 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3028 wrote to memory of 1416 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1416 wrote to memory of 1588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1416 wrote to memory of 1588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1416 wrote to memory of 1588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1416 wrote to memory of 1588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

"svchost.exe" "c:\users\admin\appdata\local\temp\147330a7ec2e27e2ed0fe0e921d45087_jaffacakes118.exe"path<<c:\users\admin\appdata\local\temp\147330a7ec2e27e2ed0fe0e921d45087_jaffacakes118.exe>>path

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://inmaster.biz/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 fz5qiter.biz udp
US 8.8.8.8:53 qx5xyngo.org udp
US 8.8.8.8:53 inmaster.biz udp

Files

memory/2388-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2388-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3028-2-0x0000000000950000-0x0000000000975000-memory.dmp

memory/3028-3-0x0000000000950000-0x0000000000975000-memory.dmp

memory/3028-5-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3028-4-0x0000000000950000-0x000000000096C000-memory.dmp

memory/3028-7-0x0000000000950000-0x000000000096C000-memory.dmp

memory/3028-8-0x0000000000950000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Local\KB9201616\KB9201616.exe

MD5 147330a7ec2e27e2ed0fe0e921d45087
SHA1 5c1113d0280326cef5f4085f7620a81001837041
SHA256 92247fc31f92d78870fbb2de0226d1f54ecb04534a04a265bd9b82159543a7ee
SHA512 4284af59a6b7391e661c9af3c953204e511d91ce26e7db1e6fd322bfdcde627d86e9b616af6ebdae56834d6a3b4d4ca0c4482f289f8138e5abf19988754cba14

memory/3028-21-0x0000000000950000-0x000000000096C000-memory.dmp

memory/3028-22-0x0000000000950000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab32C7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab3374.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a2874c24089b636ffbf7937eba5ab64
SHA1 59212539ee9d605c6fe52b5d56485599eb03dd19
SHA256 c48158eb189a00fb890c52653b2d9a57b3d9ab6a45f4cf13a6ee80a4b48da444
SHA512 b69cd57a10adc51c45cd54e824c156ad6fc3cc2b5c64672dc670111c15f169179cb8307d4064194d4b055626292682adf037d42cd06a8b6fb9bcd33422611c3d

C:\Users\Admin\AppData\Local\Temp\Tar3389.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b9c6b3fc8f8401cf4202226efca9e42
SHA1 65011b435d6271b57ed4677bbc16d1e3d86c8b82
SHA256 9d55bb675242c65f33fde723d933e30c32a4bbb6d2577483ccd1d620db5f6fcc
SHA512 a7b2a3e96b104fcd1ed3b037143a679389c5a250557349a11724ac1acef3e283cbd9106239a9088a3ad02825078e640507b5ca65847f488e142ddd9002c3766e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94b4e966c90af229e9281f725b94d4a9
SHA1 b1678e5e29d976733242670078ed3af0a0767449
SHA256 21361b6480e6a76c3e1211d1ec91579e8087462c164562d4ef1c5aa37b37dcf0
SHA512 5d1d15ad50be076254ca91572a1178db39d0dd6ade16d40e56c710e6ce0ed13ebc48f42350aa3cd1bde4702665f093d764b330e4ae0a9072e6d12a529d37e0ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0b4439b95f9b30dc6567bfc953f9d9b
SHA1 b152867c12ca25de419f9bf7941d874cf3bccc8b
SHA256 bf45727263cc755ae4cb67de960cbce5bb8371a9ba40a915f2d420e8f2486d69
SHA512 8917ecdf01350d30ad1eec40f3468d810742321da2371423d38adad164c8d0e7fb35049d23801ef25899741cbd1ae4e39cd77b1f150fc95cb6dbd4e63a3c5b76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3409ca8ad890fed076f7c4013a232fee
SHA1 33937e0e1d552ca1f2c6247d039ea9bbb8779b2e
SHA256 cd37d6b2993017761a0e6836fdb3c9677b35491e5ed7f5a16f0926bff4b9d8ce
SHA512 da8929cae752dd9eeed771428682fb26d89cdbb7220a992a4d63eaa160b395bb106e16d3b94d49cf3aee24e81614101b7ca50a416d876dec1aefb15837b3992b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3213af1cd3da4e08f343968d85d91c7
SHA1 8b79ca52ec93f474167c58f07d6be2220bf87c9d
SHA256 e1ba8646add50ccb30ac520da30fa3bed7d092b8d91e011823049bf77c1035c7
SHA512 d140d4639567b37594ad7c35fb37f99e4712687c337e1a9c7654d2f32b3b8d4760f982855dc3d84eb08b5215d5b2cf69299eda48532c0835a97a0d67332e9dbe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26b1351c000f17a32a50e5b289cadf6c
SHA1 671cb724dba322a8b618f449b65946d95f715b84
SHA256 28bb51cc157866a02e67b658ed5ab561c6f3d7ef817126cc85ebd6548c77ebfe
SHA512 7dd41141446cf9bfd1d579bafec03ba6069f3a7110b0be2eae17411576ce364119a2339618b4f8691474800521a6c40d5a9d5d2ca8ec104446296505e98d88ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65b77e56c0193891ea8a67075ddd0c46
SHA1 4dcda3b0e3eb8c0bde3a32c7e628832ecf2e53d0
SHA256 71f2d2b86cb2bf261e29db92ff548d6df1b15f97aa21b6182006d17339dd0eb5
SHA512 3e73fe61d2b60baf80e9a6c5cc198023c48e38226dd96da4e4968a59ad2fba0b6899f95ac7baded21467a869aebca33bcb5778f861e9a33b935439b3f7d62270

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 263464424b5d9b4b6bc5a0bcad5f9d7f
SHA1 0abb17417b1f074585f4dc438580f6439e446361
SHA256 ec6e02d9f7b5786a1e50c8e832f1ab4597440aa6446e0710cc0dd0b129b1b94c
SHA512 63d8b82bad85a253e06d50a1a37cbda5d12704109a288cd3d5bb9cd251a432f7f725aea081f531c1c4830d2a9e3ec20d652b8d2eb4a0d367180d73b43093f147

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 20:55

Reported

2024-05-04 20:58

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SHELL = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\KB1429679\\KB1429679.exe\"" C:\Windows\SysWOW64\svchost.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\svchost.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KB1429679 = "\"C:\\Users\\Admin\\AppData\\Local\\KB1429679\\KB1429679.exe\"" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KB1429679 = "\"C:\\Users\\Admin\\AppData\\Local\\KB1429679\\KB1429679.exe\"" C:\Windows\SysWOW64\svchost.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\svchost.exe N/A

Disables Task Manager via registry modification

evasion

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KB1429679 = "\"C:\\Users\\Admin\\AppData\\Local\\KB1429679\\KB1429679.exe\"" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KB1429679 = "\"C:\\Users\\Admin\\AppData\\Local\\KB1429679\\KB1429679.exe\"" C:\Windows\SysWOW64\svchost.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\UseThemes = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable AutoImageResize = "yes" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "yes" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\147330a7ec2e27e2ed0fe0e921d45087_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

"svchost.exe" "c:\users\admin\appdata\local\temp\147330a7ec2e27e2ed0fe0e921d45087_jaffacakes118.exe"path<<c:\users\admin\appdata\local\temp\147330a7ec2e27e2ed0fe0e921d45087_jaffacakes118.exe>>path

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4284 -ip 4284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://inmaster.biz/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5224 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=3788 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5784 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5924 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5448 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5584 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 fz5qiter.biz udp
US 8.8.8.8:53 qx5xyngo.org udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 inmaster.biz udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
NL 2.18.121.10:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 10.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 inmaster.biz udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp

Files

memory/4284-0-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/4284-1-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1584-2-0x0000000000030000-0x000000000005B000-memory.dmp

memory/1584-4-0x0000000000030000-0x000000000005B000-memory.dmp

memory/1584-6-0x0000000000030000-0x000000000003E000-memory.dmp

memory/1584-5-0x0000000000030000-0x000000000004C000-memory.dmp

memory/1584-8-0x0000000000030000-0x000000000004C000-memory.dmp

C:\Users\Admin\AppData\Local\KB1429679\KB1429679.exe

MD5 147330a7ec2e27e2ed0fe0e921d45087
SHA1 5c1113d0280326cef5f4085f7620a81001837041
SHA256 92247fc31f92d78870fbb2de0226d1f54ecb04534a04a265bd9b82159543a7ee
SHA512 4284af59a6b7391e661c9af3c953204e511d91ce26e7db1e6fd322bfdcde627d86e9b616af6ebdae56834d6a3b4d4ca0c4482f289f8138e5abf19988754cba14

memory/1584-22-0x0000000000030000-0x000000000004C000-memory.dmp