Analysis Overview
SHA256
973f74de3ec947a70f8d8c587d333b34d71f0fd56af8afb9b9579397a81d7bc3
Threat Level: Known bad
The file 2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Adds policy Run key to start application
Modifies Installed Components in the registry
Executes dropped EXE
Loads dropped DLL
ASPack v2.12-2.42
Deletes itself
Modifies WinLogon
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 03:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 03:52
Reported
2024-05-10 03:55
Platform
win7-20240220-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Windows\services.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Windows\services.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\SysWOW64\winkey.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\reginv.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\services.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe"
C:\Windows\SysWOW64\fservice.exe
C:\Windows\system32\fservice.exe
C:\Windows\services.exe
C:\Windows\services.exe -XP
C:\Windows\SysWOW64\NET.exe
NET STOP SharedAccess
C:\Windows\SysWOW64\NET.exe
NET STOP srservice
C:\Windows\SysWOW64\NET.exe
NET STOP navapsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP SharedAccess
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP navapsvc
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | you.no-ip.com | udp |
| US | 8.8.8.8:53 | you.no-ip.com | udp |
| US | 8.8.8.8:53 | you.no-ip.com | udp |
| US | 8.8.8.8:53 | www.icq.com | udp |
| US | 8.8.8.8:53 | www.yoursite.com | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 104.21.13.178:80 | www.yoursite.com | tcp |
| RU | 5.61.236.229:80 | www.icq.com | tcp |
| US | 8.8.8.8:53 | mta7.am0.yahoodns.net | udp |
| US | 98.136.96.76:25 | mta7.am0.yahoodns.net | tcp |
Files
memory/2432-0-0x00000000002E0000-0x00000000002E1000-memory.dmp
\Windows\SysWOW64\fservice.exe
| MD5 | 2d32b6e42e9ca81ae04ad9b5d5a6f4ef |
| SHA1 | 6fe29a47f4354304170156584aebc69357002498 |
| SHA256 | 973f74de3ec947a70f8d8c587d333b34d71f0fd56af8afb9b9579397a81d7bc3 |
| SHA512 | 635146905d1da5f5cc36628cd04a7076138ffc384f8f716be7f02047e7fa277342cb3edbb478ddfdccf8d098008705696573fa0dce81168444cf2d547d2d91eb |
memory/2872-16-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2532-22-0x0000000000270000-0x0000000000271000-memory.dmp
\Windows\SysWOW64\winkey.dll
| MD5 | d910659cca6a1650c10ff263c8a10fe7 |
| SHA1 | d38dbccb50b63430a51d8f6df2a6c4d23677cff0 |
| SHA256 | 5b308dfdd00dadc887a56f90e05ebfa9963be0c463d524e2ddd8680cb810d2d8 |
| SHA512 | 30c2e455478d270fc1800d251e36014f16c5e7dd9e67c1c1b0f5d4e6070fbd2875c6706efff710b83897704cefb10c7ce1b5c993548568c1f142e5b5c8d44df4 |
memory/2532-26-0x0000000010000000-0x000000001000B000-memory.dmp
\Windows\SysWOW64\reginv.dll
| MD5 | 904f3b552d0b762edb4520163d12d3cf |
| SHA1 | 5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a |
| SHA256 | 6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874 |
| SHA512 | 14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4 |
memory/2532-31-0x0000000002000000-0x0000000002008000-memory.dmp
memory/2872-34-0x0000000010000000-0x0000000010008000-memory.dmp
memory/2872-42-0x0000000010000000-0x0000000010008000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe.bat
| MD5 | f0c661bad5857604f028b29c14afabb7 |
| SHA1 | 253b8f2d2a1cdceacd660e54a984aa914d6b04ad |
| SHA256 | d6710a833f158f5e39c5691912613c18dff71ad5fa52e782d0c264ecfd73d020 |
| SHA512 | 2489a4b7d2b8a51b2e740335a5bde547cd7b6100d2f789cd2d3f1472ff41c14c37a6584dd725e27576f447b50c6faf220441b22d963cae24074fdc3ebd1e564b |
memory/2872-35-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/2432-46-0x0000000010000000-0x0000000010008000-memory.dmp
memory/2432-45-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/2532-50-0x0000000010000000-0x000000001000B000-memory.dmp
memory/2532-49-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/2532-51-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2532-52-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/2532-56-0x0000000000400000-0x00000000005F5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 03:52
Reported
2024-05-10 03:55
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Windows\services.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Windows\services.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\SysWOW64\winkey.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\reginv.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe"
C:\Windows\SysWOW64\fservice.exe
C:\Windows\system32\fservice.exe
C:\Windows\services.exe
C:\Windows\services.exe -XP
C:\Windows\SysWOW64\NET.exe
NET STOP SharedAccess
C:\Windows\SysWOW64\NET.exe
NET STOP srservice
C:\Windows\SysWOW64\NET.exe
NET STOP navapsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe.bat
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP SharedAccess
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP navapsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | you.no-ip.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.yoursite.com | udp |
| US | 8.8.8.8:53 | www.icq.com | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | yahoo.com | udp |
| RU | 5.61.236.229:80 | www.icq.com | tcp |
| US | 172.67.156.222:80 | www.yoursite.com | tcp |
| US | 8.8.8.8:53 | mta6.am0.yahoodns.net | udp |
| US | 67.195.204.72:25 | mta6.am0.yahoodns.net | tcp |
| US | 8.8.8.8:53 | 229.236.61.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.156.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4364-0-0x00000000025D0000-0x00000000025D1000-memory.dmp
C:\Windows\SysWOW64\fservice.exe
| MD5 | 2d32b6e42e9ca81ae04ad9b5d5a6f4ef |
| SHA1 | 6fe29a47f4354304170156584aebc69357002498 |
| SHA256 | 973f74de3ec947a70f8d8c587d333b34d71f0fd56af8afb9b9579397a81d7bc3 |
| SHA512 | 635146905d1da5f5cc36628cd04a7076138ffc384f8f716be7f02047e7fa277342cb3edbb478ddfdccf8d098008705696573fa0dce81168444cf2d547d2d91eb |
memory/5072-8-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/1076-17-0x00000000025B0000-0x00000000025B1000-memory.dmp
C:\Windows\SysWOW64\winkey.dll
| MD5 | d910659cca6a1650c10ff263c8a10fe7 |
| SHA1 | d38dbccb50b63430a51d8f6df2a6c4d23677cff0 |
| SHA256 | 5b308dfdd00dadc887a56f90e05ebfa9963be0c463d524e2ddd8680cb810d2d8 |
| SHA512 | 30c2e455478d270fc1800d251e36014f16c5e7dd9e67c1c1b0f5d4e6070fbd2875c6706efff710b83897704cefb10c7ce1b5c993548568c1f142e5b5c8d44df4 |
memory/1076-22-0x0000000010000000-0x000000001000B000-memory.dmp
C:\Windows\SysWOW64\reginv.dll
| MD5 | 904f3b552d0b762edb4520163d12d3cf |
| SHA1 | 5cca6b60732fe12d5d0d33e2fb2eb0c9004b9a8a |
| SHA256 | 6f2c2b2c8733eac6ca9fb1e95804ab08fcff20caa9e2a59b300400f18900b874 |
| SHA512 | 14a8855ea04cf0bd9508bca077995eb4700988043ae63b8c320762904f415b0a29de5f9bfd8f1c1b9e1cd76700e6e988569b33f14c8a3ed16fa6eade10ab40a4 |
memory/5072-33-0x0000000010000000-0x0000000010008000-memory.dmp
memory/1076-32-0x00000000025E1000-0x00000000025E2000-memory.dmp
memory/1076-31-0x00000000025E0000-0x00000000025E8000-memory.dmp
memory/5072-35-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/4364-39-0x0000000010000000-0x0000000010008000-memory.dmp
memory/5072-38-0x0000000010000000-0x0000000010008000-memory.dmp
memory/4364-40-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/4364-41-0x0000000010000000-0x0000000010008000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2d32b6e42e9ca81ae04ad9b5d5a6f4ef_JaffaCakes118.exe.bat
| MD5 | f0c661bad5857604f028b29c14afabb7 |
| SHA1 | 253b8f2d2a1cdceacd660e54a984aa914d6b04ad |
| SHA256 | d6710a833f158f5e39c5691912613c18dff71ad5fa52e782d0c264ecfd73d020 |
| SHA512 | 2489a4b7d2b8a51b2e740335a5bde547cd7b6100d2f789cd2d3f1472ff41c14c37a6584dd725e27576f447b50c6faf220441b22d963cae24074fdc3ebd1e564b |
memory/1076-44-0x0000000010000000-0x000000001000B000-memory.dmp
memory/1076-43-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/1076-45-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1076-46-0x0000000000400000-0x00000000005F5000-memory.dmp
memory/1076-50-0x0000000000400000-0x00000000005F5000-memory.dmp