Malware Analysis Report

2025-04-14 04:44

Sample ID 240612-3q6mmsyhrr
Target a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118
SHA256 448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c

Threat Level: Likely benign

The file a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118 was found to be: Likely benign.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:44

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:44

Reported

2024-06-12 23:46

Platform

win7-20240611-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
PID 2980 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsi5BC8.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsi5BC8.tmp/fallbackfiles/'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\329.bat" "C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 205.185.208.154:443 t8u4n6u7.ssl.hwcdn.net tcp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 log.web-installer-assets.com udp

Files

\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

MD5 d4c16982f8a834bc0f8028b45c3ae543
SHA1 9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256 932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512 c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt

MD5 9f5f10db782cbffe13612a55f46bae2a
SHA1 e8e752139a893ec51768eefeb909fc7d59f51db5
SHA256 861920e5535e09f611de438df4ce24399efbdc77ccc5e01270fa313cd884f353
SHA512 63ced942e01ea4e5bb4f7b066297ad1e5c0055ec24d87db0d2bebf1e748b1d6676599b5f1be8c8e51eabcb38b94c8de21cf32eeeb473d002c61dab87b4ea8f2d

C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt

MD5 ef1f264f9cd443f924583915aa767cd9
SHA1 da808bc0c6b9ad350a0381eabc8bc1f50a6234a0
SHA256 49c017aaf173d566203ed1561f1a8faace334d73d25dd4a0413f39ba5348bb8c
SHA512 f78736c8a46d40bb5d121130298e6be3a8d848ab9d4bdf03bcb208fe545ac90052d7aab2514f4ae5d6af361fc6f4f4badd785d6b78ef515aea5b90f4367decec

C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_icon.ico

MD5 1f047e870359e4ef7097acefe2043f20
SHA1 82ab7362f9c066473b2643e6cd4201ccbf0bb586
SHA256 f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e
SHA512 e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_splash.png

MD5 ef1514e5d2bcf830b39858f0736d7de7
SHA1 832214b62cb3e56f858a876fc3f09cb3c3324cbb
SHA256 c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1
SHA512 cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

C:\Program Files (x86)\tempo_6871

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt

MD5 a2a0034878018d56ea6ef448773a8ed3
SHA1 2eb810120c139155140343ef627284d9965be1a2
SHA256 9c2840d8fcee2a2e14064632f9038cad1c83e2dfbba49d82ae3239214ab60c3c
SHA512 d3cbde4aea8febed4b9b8f4d522c86f2f11f1840a541834d115ee455762de01d013a419446481b3d5e3e871fe345217496083162d27faca3c03986983a57f5f6

memory/2148-74-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2980-120-0x0000000000400000-0x000000000043F000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\$IOOQG0B

MD5 a84af774cdd68fe927b2945baf003f94
SHA1 8bd1699bcf3b98637794a5036c47fa48ffd8b8b1
SHA256 37af9135593b3fafd5db2d5efadbf05024500510645baef3f744c68258c09b26
SHA512 75df6624c87293d931276d941867ebe7f02a128c1b39069af9303234aef633f4b4888964d1ddb3a8b0449e8baa90be2347750e447421c1e201f9d71120cf2b8c

memory/2148-213-0x00000000002F0000-0x00000000002F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\329.bat

MD5 668767f1e0c7ff2b3960447e259e9f00
SHA1 32d8abf834cce72f5e845175a0af2513b00504d8
SHA256 cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512 c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

memory/2980-297-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C343~1.TXT

MD5 b2440aeee7729027e383ce3b58c6c288
SHA1 0b9a025d2a1880875403d132f534aa83e8f35971
SHA256 eb1408e13ef040705c4295b6ad3b05b41576a94ae20305e7853b65cb2bfb1783
SHA512 410aea63379396c1298b9428133dcbcd3efd56e1b13e830b90809428d409a8f5d386a1ebff0508e9c633f2314be1acf641b96476022b5d652aa43d56fc770703

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:44

Reported

2024-06-12 23:46

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsj4FF7.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsj4FF7.tmp/fallbackfiles/'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\329.bat" "C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 8.8.8.8:53 log.web-installer-assets.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

MD5 d4c16982f8a834bc0f8028b45c3ae543
SHA1 9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256 932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512 c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt

MD5 dced3f8774dfcc826bd944430aef9071
SHA1 f72ade12a2e57e5c01caceb58de56fcbf7640fa9
SHA256 bd247889b6fd96ea7da00ad179e6fa838827b1d85678940bce4938a8dbbceb2b
SHA512 4f6d9ab285966a1eb7e0a60e084df3d0b2b114ff4c8fdfd77d07d279d095026755dfed761ae774b67d58fd90bd82c89114985e926638d57a82537318ca2195c4

C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_splash.png

MD5 ef1514e5d2bcf830b39858f0736d7de7
SHA1 832214b62cb3e56f858a876fc3f09cb3c3324cbb
SHA256 c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1
SHA512 cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

C:\Users\Admin\AppData\Local\Temp\nsj4FF7.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_icon.ico

MD5 1f047e870359e4ef7097acefe2043f20
SHA1 82ab7362f9c066473b2643e6cd4201ccbf0bb586
SHA256 f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e
SHA512 e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt

MD5 b1813a3408e3ca0735e916b607a82e56
SHA1 fcd381ecbc12c031656d5d30494723debbe3f924
SHA256 7a4e7e1b282cf434a1ec621290c0be82454787ecb52360033d8d449f5e0e8ea6
SHA512 5e1d2ffdca915e8d584045fab5e35ce3ab417fe9f344487553e6fd54dc3b67a70e298414241725495fabf6445046a538e33dcc699a5365bcb80a773319918237

C:\Program Files (x86)\tempo_6871

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D5948954A468D344C4E535A5BFB_LogFile.txt

MD5 7e5ff05f06f4fa125edaa71366252251
SHA1 133c002508798c98257a089f8fe43483ecb054a3
SHA256 8c04008b48ede53cbeb500ab829629ca3f742fb25112c50565315439062b18f1
SHA512 8aaad242e343cad0e890c0a2e42b0518c74e52a8366318fd86e1ae9320b345e11f71a93ee03e495f2ff526f8a05021a03aad52cc548978a617be7b203cb03068

memory/3520-73-0x0000000003410000-0x0000000003411000-memory.dmp

memory/2504-118-0x0000000000400000-0x000000000043F000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\$IE4Y6WS

MD5 ca6b6b792b26a2c1dbb943f8745263fe
SHA1 799a7a852c272a41c35f6682de86d074caf45ccd
SHA256 7aab3f2f35b155dbbf99a9cf503029c9c6171067fc4e040e6cb2d8242d622943
SHA512 b979cde0a54d7ad3021495a8faab7f1ba39ba873b948d66110ff1132bfc824f3d16b91ca59b556b5bd19cdc24d9cb6cacf00f30ef3c71c77c13102dc23e7df4b

memory/3520-177-0x0000000003410000-0x0000000003411000-memory.dmp

memory/2504-292-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\329.bat

MD5 668767f1e0c7ff2b3960447e259e9f00
SHA1 32d8abf834cce72f5e845175a0af2513b00504d8
SHA256 cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512 c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

C:\Users\Admin\AppData\Local\Temp\F5582D5948954A468D344C4E535A5BFB\F5582D~1.TXT

MD5 0cc809e220065aa72fb4119ec3350f24
SHA1 9d58efb3d439f6c9e47c252ccb368d6c289045cb
SHA256 0ba62c78e5c16e75c096979c0ca6175f5c17eab3d8491c58ca37f79098a3c836
SHA512 316330a13501cdefc4a108f2e9ac47429862e4119106028031da6dd78272bbd00e25c19e8e8f9a2e45b50d63aa1f1abad3bc58c379bc67bc60b7741a44ef0de2

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 23:44

Reported

2024-06-12 23:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"

Signatures

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2112 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2112 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2112 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\$_3_.exe

"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\14292.bat" "C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\""

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 205.185.208.154:443 t8u4n6u7.ssl.hwcdn.net tcp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 log.web-installer-assets.com udp

Files

C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt

MD5 d4ed4dacce4185689117dfaf70b53dde
SHA1 f2fe31333a6b783c029cbf4b9ccb905443c57f34
SHA256 1cf3e885045a7ea88c7172e25fa559aa2464e746ae0d9ee279935a7eac5cd094
SHA512 45390b1feb3bf402f975f3fb5b3c6413754ad04b54b3ff3da6856329ab7e5f34ec1d2bfde6bb3d7e82b3c28f10b75065a954c71b8a6f4a5f02fe27ff039c010e

C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt

MD5 e2d7822b91ce616454d71230a23e05f7
SHA1 ad66601ceaf4c00c1ae871870aa03de91f070506
SHA256 be66d9a31b377daf8d58613381f9eaa24b65df52fcda60710d7b0f542d826107
SHA512 e5d29892a906e5f1fc235e61cbc77945d92fa5be394d7a042bd4214fa52268f19bfaeb0b1796dbc5fc51859ed071c58fb1a33e24a6269d9e2443d95813babc21

C:\Program Files (x86)\tempo_6854

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2212-67-0x0000000000190000-0x000000000033F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A6219B84B20A5B8A402D5711765_LogFile.txt

MD5 3feee9435d469f789a73af6bc91cba91
SHA1 c5cf9172c3b95fb3f51ab8f3fb07590a4d38a232
SHA256 7aad40a38da4ae9e5e804ed2c38526977832bcb1ecb1cdd9c0205623230d1fdf
SHA512 fbb45831e59fdc9620a0fd5f02a4e28b1b0f34bea3f6618bd3b6b755391b9859b7297d34d2556e98a8eb3b67bae8b2219a4ce71429b909592d0bcdaa566445cc

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$I65T6HK

MD5 5539ea3db9a9d521ba14495e1e4b2dd0
SHA1 5d83edf0d93b85f312175ceb3acb91be3de8c70a
SHA256 8fbceeb1a3f5f97a8f4c23df34333a175fe74978576777058b12b2e01fcb54ca
SHA512 1cf25f29629149e317be4104757f38a773030029555d5754fa8c4b4e63715f1171699bb20e93ae4624c2bc962a5adb461f1137d8e7d79ac0f60808612dcb1bd9

memory/2212-201-0x0000000000190000-0x000000000033F000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$I3JTVT8

MD5 aaad025ea22dcf4795386f3ea5863366
SHA1 61282d43faef6a890f8c203af63a7bb11f6a4b1e
SHA256 5389cfdbcfd0bf443f0a6842b45554c107f0d02d6f14dc4f4218ef9a89ebc1fb
SHA512 53a24b5609cd769e5e6292c8cc89b68b58079f11850baba8f77ec2df257378a36877119158153701ec8202b605893ff635364287187836884b9a0ea6803c7820

C:\Users\Admin\AppData\Local\Temp\14292.bat

MD5 668767f1e0c7ff2b3960447e259e9f00
SHA1 32d8abf834cce72f5e845175a0af2513b00504d8
SHA256 cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512 c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

memory/2212-286-0x0000000000190000-0x000000000033F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\05919A6219B84B20A5B8A402D5711765\05919A~1.TXT

MD5 e7c412065dc56cec1c9e47ce41bb917f
SHA1 9e85438c4f0ea0217a8b132c43b36905faceefaf
SHA256 b140b3055a23e6ebc48a36f811edd2c042ae8d165517d23befd6b2327d665721
SHA512 96501adf47ee7aa3afd46e04a37dc5d7ac53bbb6ecd6b268c2ff35214772e48433a4cf754001a3a71e568418f9abef0131a890f1f29610f606c9536f13c5378d

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 23:44

Reported

2024-06-12 23:46

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\$_3_.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_3_.exe

"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24607.bat" "C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\""

Network

Country Destination Domain Proto
US 8.8.8.8:53 t8u4n6u7.ssl.hwcdn.net udp
US 205.185.208.154:443 t8u4n6u7.ssl.hwcdn.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 c6m7w2m9.ssl.hwcdn.net udp
US 204.79.197.237:443 g.bing.com tcp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 fallback.playtech-installer.com udp
US 205.185.208.154:443 c6m7w2m9.ssl.hwcdn.net tcp
US 8.8.8.8:53 log.web-installer-assets.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt

MD5 8c1f8d3b9f727948d81c7c6df7cbca8b
SHA1 3195a3ac8f8a09187b99c478c4dcb6c297186e1d
SHA256 f889909822dd72ecb6c689258d158f88dc730d933a35586fbba74d739e5474f5
SHA512 dfafc89e60c3945013e4cb24c6b8b4e434bde821dcdd6b66976279d88f644d501c5b36baa05fa5e4f1fdb8ad516c09d54b622ad50ce0f834b24b029ee5dd2ad4

C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt

MD5 e41eb5fccc552032954272125e751218
SHA1 3d90fafee4abdde006beb4e59962016da0df5784
SHA256 84ee580b2857c8bebd07e07edc0688b5ccea5e03c9a53938064438e8422e42aa
SHA512 55ec17062b09f3db6eeaff7e40054f5a5b3a7dbcf380af421dda5bfdff8fd7664482866e4ba987a4dec30dbd7c529f98d36dd05c717d5448ca57b116bf30b57c

C:\Program Files (x86)\tempo_6858

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC77550A4E14579BD50E4DA458E248A_LogFile.txt

MD5 6c6fcb216e096848aa97002cbe7109a0
SHA1 f350156aeb8c690924565cd98a4f657f46b62108
SHA256 c598f1fa567ebf96b4b59d6bc83a196eb3e58a44888874f52152447a12615fd5
SHA512 d15356b7e39da81504b1148d8897282b3af0da0861027ff16a5a840cbb2efe3358fd701c27fe964471caa1bc77ca44b15f28ef6929b22290b7f52c0727cd6ad7

memory/4800-65-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2447855248-390457009-3660902674-1000\$IA2Y796

MD5 cb9cbb99b7cb299cf1f7b4b86a45cf83
SHA1 35e7b2495214c4c2b3b046343257d0ffacdbb824
SHA256 1750ce18a824ecbc2903b4d2431c943d24f55e27e5a64885e4fa1085a0d81e4d
SHA512 8343ab28eb48afd0dfd1206ffad7321938c95e90d29a1e4147afdb569366c2cfb90baaa17f79e8aff6838397554acde86a9f818f3042547bf5a86a39a1ff5923

memory/4800-196-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24607.bat

MD5 668767f1e0c7ff2b3960447e259e9f00
SHA1 32d8abf834cce72f5e845175a0af2513b00504d8
SHA256 cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512 c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

C:\Users\Admin\AppData\Local\Temp\7FC77550A4E14579BD50E4DA458E248A\7FC775~1.TXT

MD5 b70ce98feaec3b3433b9495c0924cc45
SHA1 bf34f0eaec428bbe2ecab2cf25cc17e0c019ca15
SHA256 29b2b6022184df069caa6ef1c8b56f8291ee84ea7155b8583f84c5ffb2c2a17e
SHA512 56816ec74d447b018eeed11f7af2d20fc82f87cdafa89832ccfd381f930ad1b2e9bfb727de581854ec562dec204b7d5720f1248b783964a661336cb89f5e5dc7