Malware Analysis Report

2024-08-06 15:20

Sample ID 240521-se7epaaa3w
Target 63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118
SHA256 feac8bae828a3756389b379ae1bc0eda56bdcbec371c62bd3c980ffe11c1b0a0
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

feac8bae828a3756389b379ae1bc0eda56bdcbec371c62bd3c980ffe11c1b0a0

Threat Level: Known bad

The file 63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-21 15:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 15:03

Reported

2024-05-21 15:05

Platform

win7-20240508-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\goals = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40633691\\epr.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\40633691\\CRI_BM~1" C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1296 set thread context of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAN Service\lansv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\LAN Service\lansv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2916 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2536 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2536 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2536 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2536 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2536 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2536 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 2536 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1296 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe

"C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe" cri=bmv

C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe

C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\ZAQEU

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp

Files

\Users\Admin\AppData\Local\Temp\40633691\epr.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\40633691\ipg.icm

MD5 7a80edf15dc0a33c0019c9b37d38bc1c
SHA1 b27c1be7d270b7478a1d7781bf1bef2bb7dd3893
SHA256 db50b5f644811c57f4591bffb64d6aad80e48547318dc6a0831872e9c28f26e9
SHA512 e6f39ed9885e781ebffd67f9589add54747e632320aa6997256b3e7c827b8e41e37e27c6de697f082feb5a76d2cd972dc4f981cc886080d435af04edd89a77e6

C:\Users\Admin\AppData\Local\Temp\40633691\wcn.ico

MD5 c91231980cac0c054acb16d337e660f6
SHA1 a26bd4f0b3ba8b212c59b77b38e0a1105875071c
SHA256 262e13318a1fe6de6fcabc2240323a50680164f0b4d553210542744c6f46330d
SHA512 2f9c65ee51e859580d9ba51c5d6d2c3fcd69004ff029a28858d2fc33049964308ea6f255e56d6329cfd5e6f15d3f76d5b12cec6c4c73463c947bcf0faa822071

C:\Users\Admin\AppData\Local\Temp\40633691\cri=bmv

MD5 ca49d5e6c03a09032728e91d192b9905
SHA1 ebbc137ac900d5e8fea261606024f35078ab2a21
SHA256 f3d52b4c5fbcc79cdb3a249401cf5413df1e4d24656a5767e22380a0d1bbdc8d
SHA512 4fbdef69b005276cb7e0129d6571d40a27dbcfd47c40c1d77c62a81c3694f341094188f94382087875a4032d11382aeb6b714e2bca9f3640d66c3ab52c84ac0c

C:\Users\Admin\AppData\Local\Temp\40633691\wdv.ppt

MD5 d271c6cc1e107d4812b14b6aca3e8af4
SHA1 4f829384cf691c8a257936ca1858a9607ce71fbf
SHA256 f9c07a3bf95df9704c38fa941894fc3b0c5b79d862afb47a6b92ef0b3a5ad462
SHA512 4925016c1c937a1a2e60fa5db9a976f91e099e4d65f1bc5dc3c8894474c0f0d7ef464016b403d4ecfeca506de4abff7a74de4ef29d3f32f89e134d178ef16753

C:\Users\Admin\AppData\Local\Temp\40633691\ZAQEU

MD5 458a1b6d11ccc54ff99f06fafbcc4f15
SHA1 a52b6d318b797b3dbece1ba5c0fb87f212de81f7
SHA256 433a04b587e62bd4baf7192d783bc4fdea4ce2ebb1a951332e03f32e46463f61
SHA512 f7d73f100ee0b5f9e79f7fb119e1b0123b65a3d1d6ec8c7bec487f6b7027cb51a8a1262bf838dc97c0a0a39dfbef9a25dd1cdcb6d192cafe73d333e43cd3d879

memory/108-126-0x0000000000400000-0x0000000000438000-memory.dmp

memory/108-136-0x0000000000400000-0x0000000000438000-memory.dmp

memory/108-137-0x0000000000400000-0x0000000000438000-memory.dmp

memory/108-135-0x0000000000400000-0x0000000000438000-memory.dmp

memory/108-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/108-132-0x0000000000400000-0x0000000000438000-memory.dmp

memory/108-130-0x0000000000400000-0x0000000000438000-memory.dmp

memory/108-128-0x0000000000400000-0x0000000000438000-memory.dmp

memory/108-140-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/108-141-0x00000000003B0000-0x00000000003CE000-memory.dmp

memory/108-142-0x00000000003E0000-0x00000000003EA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 15:03

Reported

2024-05-21 15:05

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\goals = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40633691\\epr.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\40633691\\CRI_BM~1" C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4584 set thread context of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Service\dpisvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DPI Service\dpisvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 1620 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 1620 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 4280 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 4280 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 4280 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
PID 4584 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4584 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4584 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4584 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4584 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4584 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4584 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4584 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe

"C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe" cri=bmv

C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe

C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\ESTNQ

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
PL 212.7.218.52:3365 tcp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
US 8.8.4.4:53 leosmart.zapto.org udp
US 8.8.8.8:53 leosmart.zapto.org udp
PL 212.7.218.52:3365 tcp

Files

C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\40633691\ipg.icm

MD5 7a80edf15dc0a33c0019c9b37d38bc1c
SHA1 b27c1be7d270b7478a1d7781bf1bef2bb7dd3893
SHA256 db50b5f644811c57f4591bffb64d6aad80e48547318dc6a0831872e9c28f26e9
SHA512 e6f39ed9885e781ebffd67f9589add54747e632320aa6997256b3e7c827b8e41e37e27c6de697f082feb5a76d2cd972dc4f981cc886080d435af04edd89a77e6

C:\Users\Admin\AppData\Local\Temp\40633691\wcn.ico

MD5 c91231980cac0c054acb16d337e660f6
SHA1 a26bd4f0b3ba8b212c59b77b38e0a1105875071c
SHA256 262e13318a1fe6de6fcabc2240323a50680164f0b4d553210542744c6f46330d
SHA512 2f9c65ee51e859580d9ba51c5d6d2c3fcd69004ff029a28858d2fc33049964308ea6f255e56d6329cfd5e6f15d3f76d5b12cec6c4c73463c947bcf0faa822071

C:\Users\Admin\AppData\Local\Temp\40633691\cri=bmv

MD5 ca49d5e6c03a09032728e91d192b9905
SHA1 ebbc137ac900d5e8fea261606024f35078ab2a21
SHA256 f3d52b4c5fbcc79cdb3a249401cf5413df1e4d24656a5767e22380a0d1bbdc8d
SHA512 4fbdef69b005276cb7e0129d6571d40a27dbcfd47c40c1d77c62a81c3694f341094188f94382087875a4032d11382aeb6b714e2bca9f3640d66c3ab52c84ac0c

C:\Users\Admin\AppData\Local\Temp\40633691\wdv.ppt

MD5 d271c6cc1e107d4812b14b6aca3e8af4
SHA1 4f829384cf691c8a257936ca1858a9607ce71fbf
SHA256 f9c07a3bf95df9704c38fa941894fc3b0c5b79d862afb47a6b92ef0b3a5ad462
SHA512 4925016c1c937a1a2e60fa5db9a976f91e099e4d65f1bc5dc3c8894474c0f0d7ef464016b403d4ecfeca506de4abff7a74de4ef29d3f32f89e134d178ef16753

C:\Users\Admin\AppData\Local\Temp\40633691\ESTNQ

MD5 458a1b6d11ccc54ff99f06fafbcc4f15
SHA1 a52b6d318b797b3dbece1ba5c0fb87f212de81f7
SHA256 433a04b587e62bd4baf7192d783bc4fdea4ce2ebb1a951332e03f32e46463f61
SHA512 f7d73f100ee0b5f9e79f7fb119e1b0123b65a3d1d6ec8c7bec487f6b7027cb51a8a1262bf838dc97c0a0a39dfbef9a25dd1cdcb6d192cafe73d333e43cd3d879

memory/5116-121-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5116-122-0x0000000005520000-0x0000000005AC4000-memory.dmp

memory/5116-123-0x0000000005090000-0x0000000005122000-memory.dmp

memory/5116-124-0x00000000051D0000-0x000000000526C000-memory.dmp

memory/5116-125-0x0000000005140000-0x000000000514A000-memory.dmp

memory/5116-128-0x0000000005360000-0x000000000536A000-memory.dmp

memory/5116-129-0x0000000005500000-0x000000000551E000-memory.dmp

memory/5116-130-0x0000000006060000-0x000000000606A000-memory.dmp