Analysis Overview
SHA256
448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c
Threat Level: Likely benign
The file a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 23:44
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 23:44
Reported
2024-06-12 23:46
Platform
win7-20240611-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsi5BC8.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsi5BC8.tmp/fallbackfiles/'
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\329.bat" "C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | t8u4n6u7.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
| MD5 | d4c16982f8a834bc0f8028b45c3ae543 |
| SHA1 | 9d9cec9af8f23a23521e20d48d9af1024663a4a7 |
| SHA256 | 932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b |
| SHA512 | c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c |
C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt
| MD5 | 9f5f10db782cbffe13612a55f46bae2a |
| SHA1 | e8e752139a893ec51768eefeb909fc7d59f51db5 |
| SHA256 | 861920e5535e09f611de438df4ce24399efbdc77ccc5e01270fa313cd884f353 |
| SHA512 | 63ced942e01ea4e5bb4f7b066297ad1e5c0055ec24d87db0d2bebf1e748b1d6676599b5f1be8c8e51eabcb38b94c8de21cf32eeeb473d002c61dab87b4ea8f2d |
C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt
| MD5 | ef1f264f9cd443f924583915aa767cd9 |
| SHA1 | da808bc0c6b9ad350a0381eabc8bc1f50a6234a0 |
| SHA256 | 49c017aaf173d566203ed1561f1a8faace334d73d25dd4a0413f39ba5348bb8c |
| SHA512 | f78736c8a46d40bb5d121130298e6be3a8d848ab9d4bdf03bcb208fe545ac90052d7aab2514f4ae5d6af361fc6f4f4badd785d6b78ef515aea5b90f4367decec |
C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_icon.ico
| MD5 | 1f047e870359e4ef7097acefe2043f20 |
| SHA1 | 82ab7362f9c066473b2643e6cd4201ccbf0bb586 |
| SHA256 | f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e |
| SHA512 | e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286 |
C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_splash.png
| MD5 | ef1514e5d2bcf830b39858f0736d7de7 |
| SHA1 | 832214b62cb3e56f858a876fc3f09cb3c3324cbb |
| SHA256 | c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1 |
| SHA512 | cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d |
C:\Program Files (x86)\tempo_6871
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt
| MD5 | a2a0034878018d56ea6ef448773a8ed3 |
| SHA1 | 2eb810120c139155140343ef627284d9965be1a2 |
| SHA256 | 9c2840d8fcee2a2e14064632f9038cad1c83e2dfbba49d82ae3239214ab60c3c |
| SHA512 | d3cbde4aea8febed4b9b8f4d522c86f2f11f1840a541834d115ee455762de01d013a419446481b3d5e3e871fe345217496083162d27faca3c03986983a57f5f6 |
memory/2148-74-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2980-120-0x0000000000400000-0x000000000043F000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\$IOOQG0B
| MD5 | a84af774cdd68fe927b2945baf003f94 |
| SHA1 | 8bd1699bcf3b98637794a5036c47fa48ffd8b8b1 |
| SHA256 | 37af9135593b3fafd5db2d5efadbf05024500510645baef3f744c68258c09b26 |
| SHA512 | 75df6624c87293d931276d941867ebe7f02a128c1b39069af9303234aef633f4b4888964d1ddb3a8b0449e8baa90be2347750e447421c1e201f9d71120cf2b8c |
memory/2148-213-0x00000000002F0000-0x00000000002F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\329.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
memory/2980-297-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C343~1.TXT
| MD5 | b2440aeee7729027e383ce3b58c6c288 |
| SHA1 | 0b9a025d2a1880875403d132f534aa83e8f35971 |
| SHA256 | eb1408e13ef040705c4295b6ad3b05b41576a94ae20305e7853b65cb2bfb1783 |
| SHA512 | 410aea63379396c1298b9428133dcbcd3efd56e1b13e830b90809428d409a8f5d386a1ebff0508e9c633f2314be1acf641b96476022b5d652aa43d56fc770703 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 23:44
Reported
2024-06-12 23:46
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsj4FF7.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsj4FF7.tmp/fallbackfiles/'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\329.bat" "C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
| MD5 | d4c16982f8a834bc0f8028b45c3ae543 |
| SHA1 | 9d9cec9af8f23a23521e20d48d9af1024663a4a7 |
| SHA256 | 932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b |
| SHA512 | c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c |
C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt
| MD5 | dced3f8774dfcc826bd944430aef9071 |
| SHA1 | f72ade12a2e57e5c01caceb58de56fcbf7640fa9 |
| SHA256 | bd247889b6fd96ea7da00ad179e6fa838827b1d85678940bce4938a8dbbceb2b |
| SHA512 | 4f6d9ab285966a1eb7e0a60e084df3d0b2b114ff4c8fdfd77d07d279d095026755dfed761ae774b67d58fd90bd82c89114985e926638d57a82537318ca2195c4 |
C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_splash.png
| MD5 | ef1514e5d2bcf830b39858f0736d7de7 |
| SHA1 | 832214b62cb3e56f858a876fc3f09cb3c3324cbb |
| SHA256 | c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1 |
| SHA512 | cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d |
C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_icon.ico
| MD5 | 1f047e870359e4ef7097acefe2043f20 |
| SHA1 | 82ab7362f9c066473b2643e6cd4201ccbf0bb586 |
| SHA256 | f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e |
| SHA512 | e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286 |
C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt
| MD5 | b1813a3408e3ca0735e916b607a82e56 |
| SHA1 | fcd381ecbc12c031656d5d30494723debbe3f924 |
| SHA256 | 7a4e7e1b282cf434a1ec621290c0be82454787ecb52360033d8d449f5e0e8ea6 |
| SHA512 | 5e1d2ffdca915e8d584045fab5e35ce3ab417fe9f344487553e6fd54dc3b67a70e298414241725495fabf6445046a538e33dcc699a5365bcb80a773319918237 |
C:\Program Files (x86)\tempo_6871
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt
| MD5 | 7e5ff05f06f4fa125edaa71366252251 |
| SHA1 | 133c002508798c98257a089f8fe43483ecb054a3 |
| SHA256 | 8c04008b48ede53cbeb500ab829629ca3f742fb25112c50565315439062b18f1 |
| SHA512 | 8aaad242e343cad0e890c0a2e42b0518c74e52a8366318fd86e1ae9320b345e11f71a93ee03e495f2ff526f8a05021a03aad52cc548978a617be7b203cb03068 |
memory/3520-73-0x0000000003410000-0x0000000003411000-memory.dmp
memory/2504-118-0x0000000000400000-0x000000000043F000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$IE4Y6WS
| MD5 | ca6b6b792b26a2c1dbb943f8745263fe |
| SHA1 | 799a7a852c272a41c35f6682de86d074caf45ccd |
| SHA256 | 7aab3f2f35b155dbbf99a9cf503029c9c6171067fc4e040e6cb2d8242d622943 |
| SHA512 | b979cde0a54d7ad3021495a8faab7f1ba39ba873b948d66110ff1132bfc824f3d16b91ca59b556b5bd19cdc24d9cb6cacf00f30ef3c71c77c13102dc23e7df4b |
memory/3520-177-0x0000000003410000-0x0000000003411000-memory.dmp
memory/2504-292-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\329.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D~1.TXT
| MD5 | 0cc809e220065aa72fb4119ec3350f24 |
| SHA1 | 9d58efb3d439f6c9e47c252ccb368d6c289045cb |
| SHA256 | 0ba62c78e5c16e75c096979c0ca6175f5c17eab3d8491c58ca37f79098a3c836 |
| SHA512 | 316330a13501cdefc4a108f2e9ac47429862e4119106028031da6dd78272bbd00e25c19e8e8f9a2e45b50d63aa1f1abad3bc58c379bc67bc60b7741a44ef0de2 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 23:44
Reported
2024-06-12 23:46
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2212 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2212 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2212 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2112 wrote to memory of 3048 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2112 wrote to memory of 3048 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2112 wrote to memory of 3048 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2112 wrote to memory of 3048 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\14292.bat" "C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\""
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | t8u4n6u7.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt
| MD5 | d4ed4dacce4185689117dfaf70b53dde |
| SHA1 | f2fe31333a6b783c029cbf4b9ccb905443c57f34 |
| SHA256 | 1cf3e885045a7ea88c7172e25fa559aa2464e746ae0d9ee279935a7eac5cd094 |
| SHA512 | 45390b1feb3bf402f975f3fb5b3c6413754ad04b54b3ff3da6856329ab7e5f34ec1d2bfde6bb3d7e82b3c28f10b75065a954c71b8a6f4a5f02fe27ff039c010e |
C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt
| MD5 | e2d7822b91ce616454d71230a23e05f7 |
| SHA1 | ad66601ceaf4c00c1ae871870aa03de91f070506 |
| SHA256 | be66d9a31b377daf8d58613381f9eaa24b65df52fcda60710d7b0f542d826107 |
| SHA512 | e5d29892a906e5f1fc235e61cbc77945d92fa5be394d7a042bd4214fa52268f19bfaeb0b1796dbc5fc51859ed071c58fb1a33e24a6269d9e2443d95813babc21 |
C:\Program Files (x86)\tempo_6854
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2212-67-0x0000000000190000-0x000000000033F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt
| MD5 | 3feee9435d469f789a73af6bc91cba91 |
| SHA1 | c5cf9172c3b95fb3f51ab8f3fb07590a4d38a232 |
| SHA256 | 7aad40a38da4ae9e5e804ed2c38526977832bcb1ecb1cdd9c0205623230d1fdf |
| SHA512 | fbb45831e59fdc9620a0fd5f02a4e28b1b0f34bea3f6618bd3b6b755391b9859b7297d34d2556e98a8eb3b67bae8b2219a4ce71429b909592d0bcdaa566445cc |
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$I65T6HK
| MD5 | 5539ea3db9a9d521ba14495e1e4b2dd0 |
| SHA1 | 5d83edf0d93b85f312175ceb3acb91be3de8c70a |
| SHA256 | 8fbceeb1a3f5f97a8f4c23df34333a175fe74978576777058b12b2e01fcb54ca |
| SHA512 | 1cf25f29629149e317be4104757f38a773030029555d5754fa8c4b4e63715f1171699bb20e93ae4624c2bc962a5adb461f1137d8e7d79ac0f60808612dcb1bd9 |
memory/2212-201-0x0000000000190000-0x000000000033F000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$I3JTVT8
| MD5 | aaad025ea22dcf4795386f3ea5863366 |
| SHA1 | 61282d43faef6a890f8c203af63a7bb11f6a4b1e |
| SHA256 | 5389cfdbcfd0bf443f0a6842b45554c107f0d02d6f14dc4f4218ef9a89ebc1fb |
| SHA512 | 53a24b5609cd769e5e6292c8cc89b68b58079f11850baba8f77ec2df257378a36877119158153701ec8202b605893ff635364287187836884b9a0ea6803c7820 |
C:\Users\Admin\AppData\Local\Temp\14292.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
memory/2212-286-0x0000000000190000-0x000000000033F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A~1.TXT
| MD5 | e7c412065dc56cec1c9e47ce41bb917f |
| SHA1 | 9e85438c4f0ea0217a8b132c43b36905faceefaf |
| SHA256 | b140b3055a23e6ebc48a36f811edd2c042ae8d165517d23befd6b2327d665721 |
| SHA512 | 96501adf47ee7aa3afd46e04a37dc5d7ac53bbb6ecd6b268c2ff35214772e48433a4cf754001a3a71e568418f9abef0131a890f1f29610f606c9536f13c5378d |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 23:44
Reported
2024-06-12 23:46
Platform
win10v2004-20240611-en
Max time kernel
94s
Max time network
97s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4800 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4800 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4800 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\$_3_.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24607.bat" "C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t8u4n6u7.ssl.hwcdn.net | udp |
| US | 205.185.208.154:443 | t8u4n6u7.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | c6m7w2m9.ssl.hwcdn.net | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | fallback.playtech-installer.com | udp |
| US | 205.185.208.154:443 | c6m7w2m9.ssl.hwcdn.net | tcp |
| US | 8.8.8.8:53 | log.web-installer-assets.com | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt
| MD5 | 8c1f8d3b9f727948d81c7c6df7cbca8b |
| SHA1 | 3195a3ac8f8a09187b99c478c4dcb6c297186e1d |
| SHA256 | f889909822dd72ecb6c689258d158f88dc730d933a35586fbba74d739e5474f5 |
| SHA512 | dfafc89e60c3945013e4cb24c6b8b4e434bde821dcdd6b66976279d88f644d501c5b36baa05fa5e4f1fdb8ad516c09d54b622ad50ce0f834b24b029ee5dd2ad4 |
C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt
| MD5 | e41eb5fccc552032954272125e751218 |
| SHA1 | 3d90fafee4abdde006beb4e59962016da0df5784 |
| SHA256 | 84ee580b2857c8bebd07e07edc0688b5ccea5e03c9a53938064438e8422e42aa |
| SHA512 | 55ec17062b09f3db6eeaff7e40054f5a5b3a7dbcf380af421dda5bfdff8fd7664482866e4ba987a4dec30dbd7c529f98d36dd05c717d5448ca57b116bf30b57c |
C:\Program Files (x86)\tempo_6858
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt
| MD5 | 6c6fcb216e096848aa97002cbe7109a0 |
| SHA1 | f350156aeb8c690924565cd98a4f657f46b62108 |
| SHA256 | c598f1fa567ebf96b4b59d6bc83a196eb3e58a44888874f52152447a12615fd5 |
| SHA512 | d15356b7e39da81504b1148d8897282b3af0da0861027ff16a5a840cbb2efe3358fd701c27fe964471caa1bc77ca44b15f28ef6929b22290b7f52c0727cd6ad7 |
memory/4800-65-0x0000000003CF0000-0x0000000003CF1000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2447855248-390457009-3660902674-1000\$IA2Y796
| MD5 | cb9cbb99b7cb299cf1f7b4b86a45cf83 |
| SHA1 | 35e7b2495214c4c2b3b046343257d0ffacdbb824 |
| SHA256 | 1750ce18a824ecbc2903b4d2431c943d24f55e27e5a64885e4fa1085a0d81e4d |
| SHA512 | 8343ab28eb48afd0dfd1206ffad7321938c95e90d29a1e4147afdb569366c2cfb90baaa17f79e8aff6838397554acde86a9f818f3042547bf5a86a39a1ff5923 |
memory/4800-196-0x0000000003CF0000-0x0000000003CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\24607.bat
| MD5 | 668767f1e0c7ff2b3960447e259e9f00 |
| SHA1 | 32d8abf834cce72f5e845175a0af2513b00504d8 |
| SHA256 | cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d |
| SHA512 | c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680 |
C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC775~1.TXT
| MD5 | b70ce98feaec3b3433b9495c0924cc45 |
| SHA1 | bf34f0eaec428bbe2ecab2cf25cc17e0c019ca15 |
| SHA256 | 29b2b6022184df069caa6ef1c8b56f8291ee84ea7155b8583f84c5ffb2c2a17e |
| SHA512 | 56816ec74d447b018eeed11f7af2d20fc82f87cdafa89832ccfd381f930ad1b2e9bfb727de581854ec562dec204b7d5720f1248b783964a661336cb89f5e5dc7 |