Malware Analysis Report

2025-01-03 09:28

Sample ID 240604-2cgkxsec74
Target 967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118
SHA256 6546ac26f664708e688ae8dcf35b9acb75760b5d2177f55a98c8f8f66739079a
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6546ac26f664708e688ae8dcf35b9acb75760b5d2177f55a98c8f8f66739079a

Threat Level: Shows suspicious behavior

The file 967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 22:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-04 22:26

Reported

2024-06-04 22:28

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-04 22:26

Reported

2024-06-04 22:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe

"C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 masterconn.qq.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 masterconn2.qq.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\dr.dll

MD5 68a34245c650829c613e9068bdc6f79d
SHA1 f877ad637c2097915ba894fdccb1a596a52a726e
SHA256 c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf
SHA512 1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe

C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\QMNetworkMgr.dll

MD5 05dd1f39d102be0cb0be1da37dc8664b
SHA1 1375a2ddd6b61b408faf7d7a52e67d5d6f4d1aed
SHA256 c390e551a8eb0deca95ae1f92003fcd1b610c5c7b27fe42d772b8f18c828f1a9
SHA512 d59e4a2d5d1d3a69bd3be4099018ab184dc1d7177f9c019737617530e3bd77858a4d01d7d2602579b38b6e4783c290a5acfa09b8af1e72537ba7ea0ddbde659d

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 22:26

Reported

2024-06-04 22:28

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd1B5F.tmp\System.dll

MD5 b9f430f71c7144d8ff4ab94be2785aa6
SHA1 c5c1e153caff7ad1d221a9acc8bbb831f05ccb05
SHA256 b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655
SHA512 c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099

\Users\Admin\AppData\Local\Temp\nsd1B5F.tmp\SetupHelper.dll

MD5 e4df5c7f58d5e0ccbbe7a6e74fc449ad
SHA1 d0c92b3b78cd5fa61ce51b770565aeb488610c43
SHA256 af55cbbbd681182226c5e854470a05ea8ec6242a30d28c61ce9c20b968088db8
SHA512 5f7456f107df50809bd504e46cd4f5cc43764e683fb14dbcd03c1e6ab5ea5868c0279ed52c8aa5c1795e7928335b9ac07c31c228333dcd44dbb408f04ce2619d

memory/1700-9-0x0000000002840000-0x00000000029AA000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-04 22:26

Reported

2024-06-04 22:28

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4344 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4344 wrote to memory of 3700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 660

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-04 22:26

Reported

2024-06-04 22:28

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2192 -ip 2192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-04 22:26

Reported

2024-06-04 22:28

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe

"C:\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10Tips.exe"

Network

Country Destination Domain Proto
CN 183.62.104.184:8000 udp
US 8.8.8.8:53 masterconn.qq.com udp
US 8.8.8.8:53 masterconn2.qq.com udp
HK 43.154.254.18:8000 masterconn.qq.com udp
US 8.8.8.8:53 c.pc.qq.com udp
HK 43.135.106.184:80 c.pc.qq.com tcp
HK 43.135.106.184:443 c.pc.qq.com tcp

Files

\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\dr.dll

MD5 68a34245c650829c613e9068bdc6f79d
SHA1 f877ad637c2097915ba894fdccb1a596a52a726e
SHA256 c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf
SHA512 1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe

\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\QMNetworkMgr.dll

MD5 05dd1f39d102be0cb0be1da37dc8664b
SHA1 1375a2ddd6b61b408faf7d7a52e67d5d6f4d1aed
SHA256 c390e551a8eb0deca95ae1f92003fcd1b610c5c7b27fe42d772b8f18c828f1a9
SHA512 d59e4a2d5d1d3a69bd3be4099018ab184dc1d7177f9c019737617530e3bd77858a4d01d7d2602579b38b6e4783c290a5acfa09b8af1e72537ba7ea0ddbde659d

\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\Win10TipsCfg.dll

MD5 a2c8def8db67c09f9b7ff82edb2180df
SHA1 70aaa958041f7b638f1ba5d8f5fd646b9b159041
SHA256 fad5d20878ecc4f2c4762e69225d6f9dcca038789e999035fe0858d1d267d5d2
SHA512 75f30c95bf6783e118452103a4816afcbcbde19add23d6af97d6abceee802585cb45cb70694a9c46b863649950dbdc379b975aa88fd6aaeeeb0faf7ec2807edb

memory/1640-24-0x00000000007E0000-0x00000000007E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\appraiserxp.dll

MD5 0a51cf7877b4cb63f821927d011e0237
SHA1 41b32cf76ed2e49348b25261012b0a32ff6c2dee
SHA256 12b5c50c492f5bf9e74a4eb8a0748d6d204510f17cb262a03e3b22e57ca01dfb
SHA512 1a46f018a2dea49e6f383026dbfebfd6d585594460609380937c1f74f5d72bf3bef687eb790b7ecb25f16d1e08812b5cc1cdd04dac7865d10bb373a4d76c529a

\Users\Admin\AppData\Local\Temp\CacheWin10Tips\plugins\Win10Tips\xmllite.dll

MD5 aa90ae4a50124c0a82052209ec42330c
SHA1 ccd555f322a7f12cd2900bd243c8096abb54d214
SHA256 ebed0790f95d9b8b901d0d27b836c9fd94698bbb025ad1d88eff97db68d64170
SHA512 99412dd0fd7aa0ee4bd3c2855e9beaa63e12287ef65420ab20d00cae5c8dc72cdd0e64be7ea9a98e0e605a6b1dbcfb188dc8b3bb6dd2785e9c71cf63c5e2c64d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 22:26

Reported

2024-06-04 22:28

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\967472f4bb4622e04e4e7f81d8d77222_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc4C7C.tmp\System.dll

MD5 b9f430f71c7144d8ff4ab94be2785aa6
SHA1 c5c1e153caff7ad1d221a9acc8bbb831f05ccb05
SHA256 b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655
SHA512 c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099

C:\Users\Admin\AppData\Local\Temp\nsc4C7C.tmp\SetupHelper.dll

MD5 e4df5c7f58d5e0ccbbe7a6e74fc449ad
SHA1 d0c92b3b78cd5fa61ce51b770565aeb488610c43
SHA256 af55cbbbd681182226c5e854470a05ea8ec6242a30d28c61ce9c20b968088db8
SHA512 5f7456f107df50809bd504e46cd4f5cc43764e683fb14dbcd03c1e6ab5ea5868c0279ed52c8aa5c1795e7928335b9ac07c31c228333dcd44dbb408f04ce2619d

memory/736-11-0x0000000003050000-0x00000000031BA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 22:26

Reported

2024-06-04 22:28

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupHelper.dll,#1

Network

N/A

Files

N/A