Malware Analysis Report

2024-08-06 15:08

Sample ID 240523-nvnkaseh49
Target 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118
SHA256 1538c0ddb80e85c1d2fa97bedacddd09fe087c3e7e76fcd19051ed6e3e2028fd
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1538c0ddb80e85c1d2fa97bedacddd09fe087c3e7e76fcd19051ed6e3e2028fd

Threat Level: Known bad

The file 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-23 11:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 11:43

Reported

2024-05-23 11:45

Platform

win7-20240221-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A
File opened for modification C:\Program Files (x86)\ISS Host\isshost.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
PID 2620 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2564 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2564 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2228 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
PID 2776 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
PID 2776 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
PID 2776 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
PID 2764 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
PID 2764 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
PID 2764 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
PID 2764 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\164E.tmp\164F.tmp\1650.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe

teles.sfx.exe -p9898 -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe

MD5 b4f5373a0c13a6b4598c8ed404a6bdae
SHA1 4a5cd535c4057acd1b7ed901d59ec6b2e76db6c9
SHA256 5aefc2e98446c1204ae1d6dfa5136488e3a1ef96ec62f3df1d8d0db68e9ea061
SHA512 29564e027aed141647660082ee12b56ecb43c9e3ac3785c7ff6f86a1a9f22aab2bc88a863f008b76856d5d17c0ebe89d6d34d332de96d7fba7ab13cf17df6d2d

C:\Users\Admin\AppData\Local\Temp\164E.tmp\164F.tmp\1650.bat

MD5 78cf128c2c0b024aa9075d038f32c0f9
SHA1 ea941836117cb9f6d87a010806bbd5df58bd938a
SHA256 bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e
SHA512 d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat

MD5 7b3bcb606d504b0f4a6c1d94720aa979
SHA1 2e426175d2bc245d3946e2ba06092b8b969f13c1
SHA256 3a957ef77d0f1530721fb6bc305e39d1d1dee2db46008e710eeac2f9a2697929
SHA512 5d433ce3621b6039505186d47f29f8f27c5c53ee7eec9e5afaac6916b1d8d9a1af86d6cca3b2387cea012d211254516cabe9002e9ea17f1612890b2b5187af7e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe

MD5 cb80b60fe4975dbbbb97bfd2de56bb1e
SHA1 b4c05c7999a3f3c12e6275b22a553401ac06caeb
SHA256 3bc56bcce1ba72e27832f83f4ce713577e8108db41ffc2e27a33d2e7fb9e41df
SHA512 80b811d5c05b07f3681883cd54a31dc18edf4abfc83a33c7fbf18a1cf3fc100e5d525b67f4c62de835de21791599c0e382b365a11badbfb383835cf814c07f24

C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe

MD5 a2d1b1113d184205eed4835bf0cb06c6
SHA1 1b5775e187665f7c9131aee29c0daa4c3de43eb7
SHA256 fa82a26a7fcd1cd76fb893725f93aeaf878f033cbeda11f9d887972a36741e01
SHA512 182ba9d014e8434e5ea4154fd85239b768b7d126c8af4ed15c395bf40194e1df2eddba9ca9e4d753efdf7907d19388a2e974a5149838bae8112276c6632703e4

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 11:43

Reported

2024-05-23 11:45

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Service = "C:\\Program Files (x86)\\AGP Service\\agpsv.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AGP Service\agpsv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A
File opened for modification C:\Program Files (x86)\AGP Service\agpsv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
PID 512 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
PID 3448 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe C:\Windows\system32\cmd.exe
PID 4848 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4848 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 512 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
PID 3408 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
PID 3408 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
PID 2148 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
PID 2148 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
PID 2148 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6206.tmp\6207.tmp\6208.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe

teles.sfx.exe -p9898 -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
US 8.8.4.4:53 newipset.hopto.org udp
US 8.8.8.8:53 newipset.hopto.org udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe

MD5 b4f5373a0c13a6b4598c8ed404a6bdae
SHA1 4a5cd535c4057acd1b7ed901d59ec6b2e76db6c9
SHA256 5aefc2e98446c1204ae1d6dfa5136488e3a1ef96ec62f3df1d8d0db68e9ea061
SHA512 29564e027aed141647660082ee12b56ecb43c9e3ac3785c7ff6f86a1a9f22aab2bc88a863f008b76856d5d17c0ebe89d6d34d332de96d7fba7ab13cf17df6d2d

C:\Users\Admin\AppData\Local\Temp\6206.tmp\6207.tmp\6208.bat

MD5 78cf128c2c0b024aa9075d038f32c0f9
SHA1 ea941836117cb9f6d87a010806bbd5df58bd938a
SHA256 bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e
SHA512 d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat

MD5 7b3bcb606d504b0f4a6c1d94720aa979
SHA1 2e426175d2bc245d3946e2ba06092b8b969f13c1
SHA256 3a957ef77d0f1530721fb6bc305e39d1d1dee2db46008e710eeac2f9a2697929
SHA512 5d433ce3621b6039505186d47f29f8f27c5c53ee7eec9e5afaac6916b1d8d9a1af86d6cca3b2387cea012d211254516cabe9002e9ea17f1612890b2b5187af7e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe

MD5 cb80b60fe4975dbbbb97bfd2de56bb1e
SHA1 b4c05c7999a3f3c12e6275b22a553401ac06caeb
SHA256 3bc56bcce1ba72e27832f83f4ce713577e8108db41ffc2e27a33d2e7fb9e41df
SHA512 80b811d5c05b07f3681883cd54a31dc18edf4abfc83a33c7fbf18a1cf3fc100e5d525b67f4c62de835de21791599c0e382b365a11badbfb383835cf814c07f24

C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe

MD5 a2d1b1113d184205eed4835bf0cb06c6
SHA1 1b5775e187665f7c9131aee29c0daa4c3de43eb7
SHA256 fa82a26a7fcd1cd76fb893725f93aeaf878f033cbeda11f9d887972a36741e01
SHA512 182ba9d014e8434e5ea4154fd85239b768b7d126c8af4ed15c395bf40194e1df2eddba9ca9e4d753efdf7907d19388a2e974a5149838bae8112276c6632703e4