Analysis Overview
SHA256
2397ac46ad9b52de1b72d6821ce44f6fd4815ea6abe449d1b731120d1e0c5ce2
Threat Level: Known bad
The file a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Creates new service(s)
Stops running service(s)
Drops file in Drivers directory
ACProtect 1.3x - 1.4x DLL software
Reads user/profile data of web browsers
Loads dropped DLL
Windows security modification
Executes dropped EXE
UPX packed file
Checks installed software on the system
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win10v2004-20240611-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\auBVPavMwbA.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win7-20240220-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\uninstaller.dat = "0" | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c = "0" | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
Stops running service(s)
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| N/A | N/A | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| N/A | N/A | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| N/A | N/A | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\uninstaller.dat = "0" | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c = "0" | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\78aeb84ef7f864a3cbdc2d754802eb81.ico | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\nss3.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\nspr4.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\plc4.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\mozcrt19.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\da32af249fcc8bb76881919b2c13248d.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\WBE_uninstall.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service_64.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\3220fb1268d362d4fef9905ab424b39c.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\plds4.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\softokn3.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service_64.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\3220fb1268d362d4fef9905ab424b39c.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\0ee18cd84a6ff5795bf5c5821ca016e3 | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\kiebqmtyeydresvp.kiebq | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| File created | C:\Windows\da32af249fcc8bb76881919b2c13248d.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Windows\uninstaller.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host | C:\Windows\SysWOW64\wscript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9 | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9\LocalService = "eab27f564f6aa95ace08e0b9f5fd608c" | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A\Blob = 030000000100000014000000c60fabaa1b65e2e42dce7d0a4c6ced70ea52c06a20000000010000000803000030820304308201eca003020102021100fbec9938a373483790d5af0274c84987300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c126565633832336138323165376633333720323020170d3034303631373134313131325a180f32303634303630323134313131325a302a310b300906035504061302454e311b301906035504030c1265656338323361383231653766333337203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010051f8045d76714e11193ac045932526ec16a4562e79f8cef75078f4caa3312cfb4e9958b8c345035f38a0b060a88d552107b6cd4af5c6c7c379770450a2d58a142f46d978b7582b9cd7215c50f005366e6572bde12992e155b5ad2706d7681d3bf32235c603d3badc688e602e005362287051cee679b07dc7e50a681b6270a36d84e2af94cb52c3cb30945b8bf25ed3a9b553ad655b31b389694c30998a7d5e4cd2ece4c920679d6a483850a13dd0c4c424c304dc6cd84d594c5dd6d3dc77e95e2b2a6913103021dd6158cb4266e0e571da4cfb25e849b93ed85191753a8d66cbd18fccc3bd0a09e26c68d621232311eb47ec87c0f61a86cdf65ff98da6b3d3ff | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A\Blob = 030000000100000014000000c60fabaa1b65e2e42dce7d0a4c6ced70ea52c06a20000000010000000803000030820304308201eca003020102021100fbec9938a373483790d5af0274c84987300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c126565633832336138323165376633333720323020170d3034303631373134313131325a180f32303634303630323134313131325a302a310b300906035504061302454e311b301906035504030c1265656338323361383231653766333337203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010051f8045d76714e11193ac045932526ec16a4562e79f8cef75078f4caa3312cfb4e9958b8c345035f38a0b060a88d552107b6cd4af5c6c7c379770450a2d58a142f46d978b7582b9cd7215c50f005366e6572bde12992e155b5ad2706d7681d3bf32235c603d3badc688e602e005362287051cee679b07dc7e50a681b6270a36d84e2af94cb52c3cb30945b8bf25ed3a9b553ad655b31b389694c30998a7d5e4cd2ece4c920679d6a483850a13dd0c4c424c304dc6cd84d594c5dd6d3dc77e95e2b2a6913103021dd6158cb4266e0e571da4cfb25e849b93ed85191753a8d66cbd18fccc3bd0a09e26c68d621232311eb47ec87c0f61a86cdf65ff98da6b3d3ff | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A | C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe"
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js" "C:\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp" "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js"
C:\Windows\SysWOW64\sc.exe
sc create -- binPath= ""C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe" /wl 1"
C:\Windows\SysWOW64\net.exe
net start --
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start --
C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe /wl 1
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Windows\TEMP\auBVPavMwbA.js" "C:\Windows\TEMP\nso38B.tmp" "C:\Windows\TEMP\auBVPavMwbA.js"
C:\Windows\SysWOW64\sc.exe
sc delete --
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64
C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" --install_updater 0
C:\Windows\SysWOW64\sc.exe
sc create ae17162624d60054bd221228f70d7531 binPath= "rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe" start= auto
C:\Windows\SysWOW64\sc.exe
sc failure ae17162624d60054bd221228f70d7531 reset= 30 actions= restart/5000
C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" --install
C:\Windows\SysWOW64\sc.exe
sc create d435e23f50e54d4bad7887b91b33f8b5 binpath= system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys DisplayName= d435e23f50e54d4bad7887b91b33f8b5 type= kernel start= system group= PNP_TDI
C:\Windows\SysWOW64\sc.exe
sc start d435e23f50e54d4bad7887b91b33f8b5
C:\Windows\SysWOW64\sc.exe
sc create eab27f564f6aa95ace08e0b9f5fd608c displayname= eab27f564f6aa95ace08e0b9f5fd608c binPath= "C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" start= auto depend= RPCSS
C:\Windows\SysWOW64\sc.exe
sc start ae17162624d60054bd221228f70d7531
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe
C:\Windows\SysWOW64\sc.exe
sc failure eab27f564f6aa95ace08e0b9f5fd608c reset= 60 actions= restart/5000/restart/5000/restart/5000
C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Windows\kiebqmtyeydresvp.kiebq EXMe perform_update
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start d435e23f50e54d4bad7887b91b33f8b5
C:\Windows\system32\net.exe
net start d435e23f50e54d4bad7887b91b33f8b5
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start d435e23f50e54d4bad7887b91b33f8b5
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start eab27f564f6aa95ace08e0b9f5fd608c
C:\Windows\system32\net.exe
net start eab27f564f6aa95ace08e0b9f5fd608c
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start eab27f564f6aa95ace08e0b9f5fd608c
C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\lDerpvVTsgA.dll
| MD5 | e4bdc739307f32b968e32fcebc9c01f6 |
| SHA1 | 5f3d406f01579e3e8a67c05d2e31ec369e14604c |
| SHA256 | 17d489476f1f2fbe95a5ddb2a95a788528db842153c5582457133a79eb0756e0 |
| SHA512 | 494ab1baf1ba59aa6cb4209dae8d493b784d289c74ba66b34d826aebb4014bb2fdfa3f30680650408048d9197cab5b945936c36cac9529c220048cef4704224e |
\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\CCGylfvpPId.dll
| MD5 | 41061901c1afc95553800c7203a31cd0 |
| SHA1 | 38fc9f859502166bf5e356b8820ed6a48b060f6d |
| SHA256 | cc0dc4f6b1bf6627532a8c8ab42ad087f3302000632d22713950f0a8c95e8f05 |
| SHA512 | c54f0bf158938fa332d482b1190e66cc7856465080fbddc5f7b95ff1f00491d29fa28c49854e6dda73a8e1e11cf2e845754033eb5cfe77327e1625039946c2eb |
C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js
| MD5 | a35b87106725234045494a6404a003f9 |
| SHA1 | f4d1a2529a271946382c17132a5ebea6449a753f |
| SHA256 | 17aa4126885d2299ada9a5e3fa5c21dc52e133bfed72a25a96e0152044ea2cd4 |
| SHA512 | 7924482b9e20801dd8d7abacd6fc4d2a1f182e4f663b0a519518e33c04b482d35d17d277af1e9555f9e8a3a92e67935dabbc5302507b2924ac4cc9b34546dd17 |
\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\gHbMwlFrsMB.dll
| MD5 | 31eafd1f2c5bceb7761b52ea85cf6c26 |
| SHA1 | 51045a6eeddc1832a9a71fe95bb746192b1bbb2b |
| SHA256 | 27e62f38be7bd86e3144888e68ae6dd3cd9afccce244825929409b4e94623dd6 |
| SHA512 | 4aa675ad91e655cb36adabab706d9af07b91e1b0d71799f0a4068f02765d6010cdc15ef59eb15758e569cede0161d5e8797f4f39b7dcbfb97b95770acc18e4a8 |
memory/2924-22-0x0000000000400000-0x00000000015DB000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\md5dll.dll
| MD5 | 7059f133ea2316b9e7e39094a52a8c34 |
| SHA1 | ee9f1487c8152d8c42fecf2efb8ed1db68395802 |
| SHA256 | 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f |
| SHA512 | 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51 |
memory/2924-34-0x0000000003000000-0x000000000300A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\nsExec.dll
| MD5 | 35200be9cf105f3defe2ae0ee44cea12 |
| SHA1 | 3f4a09eeb477d3f048cdfb848b95aa39b20d89dc |
| SHA256 | 0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527 |
| SHA512 | f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833 |
memory/2424-67-0x0000000000400000-0x00000000015DB000-memory.dmp
memory/2424-95-0x0000000002340000-0x000000000234A000-memory.dmp
memory/2424-97-0x0000000002340000-0x000000000234A000-memory.dmp
memory/2424-96-0x0000000002340000-0x000000000234A000-memory.dmp
\Windows\Temp\nsd571.tmp\brh.dll
| MD5 | 915ad39a9a5cac612cee374d81ff8af0 |
| SHA1 | d9f20e5174425e063194eefb18ef61ddeed14d4f |
| SHA256 | 31de470aadf7ae30d539e8296990b66a83876c9e21460e3b9e4d152e533f9e32 |
| SHA512 | 24d51ed914796d83e8b73b04fc7db18edde823e57214128106ab250e0798452c6fb2f4ad46acdf26d2d6b5ba4b0820244e97a4b3c9bef826eb6af1efd7475aa5 |
memory/2424-101-0x00000000032C0000-0x00000000033A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd12D.tmp\brh.dat
| MD5 | 99569bc87c4b4ccfde67559bba19aab1 |
| SHA1 | 65d86fc43b1341cf6a77eb8b9a0d7abd2b93ca20 |
| SHA256 | 24872a9d09ad34ebe40ee9a7887e1b97ba90e802de36051c2faf2acaaf7fa401 |
| SHA512 | 05400259837be68853062dd7ee8c38754891c1e51871052ba8fc6a84a4461a8e4dd9c41ba230dcb04cfd8ef69e91468e979e7682b54186e313dd6b8462bed4f4 |
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\IpConfig.dll
| MD5 | a75e3775daac9958610ce1308e0bca3b |
| SHA1 | d83ce354cde527c2e20fb425415f6d4795dd4cd4 |
| SHA256 | fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720 |
| SHA512 | 48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6 |
memory/2924-150-0x0000000003E10000-0x0000000003E37000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\inetc.dll
| MD5 | 1fc1fbb2c7a14b7901fc9abbd6dbef10 |
| SHA1 | 4d9ed86f31075a3d3f674ff78f39c190a4098126 |
| SHA256 | 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e |
| SHA512 | 76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2 |
memory/2924-167-0x0000000003010000-0x000000000301A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\MoreInfo.dll
| MD5 | bd393029cc49b415b6c9aeb8a4936516 |
| SHA1 | c67fd92fffd18941bed41bfd6ac4f3b04fd123df |
| SHA256 | 227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026 |
| SHA512 | 3bb8e5cf4bea7e8adaa62196e58fff9031f49fd4efa78e5bd3e4b9c4e9ba1523864567521793053595d90abec719761a5964ff3abe04b93b24d52e5ffa4c1f96 |
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\NSISList.dll
| MD5 | 4b0617493f32b2b5fe5e838eeb885819 |
| SHA1 | 336e84380420a9caaa9c12af7c8e530135e63c57 |
| SHA256 | df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402 |
| SHA512 | 5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143 |
memory/2924-191-0x0000000003E40000-0x0000000003E64000-memory.dmp
memory/2924-220-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-219-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-234-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-233-0x0000000003E90000-0x0000000003E9A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\SimpleSC.dll
| MD5 | d63975ce28f801f236c4aca5af726961 |
| SHA1 | 3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9 |
| SHA256 | e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43 |
| SHA512 | 8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810 |
memory/2924-239-0x0000000003E90000-0x0000000003EA3000-memory.dmp
memory/2924-253-0x0000000003E90000-0x0000000003E9A000-memory.dmp
\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
| MD5 | 7e6f083c27bc2f551f37119c8833e3bf |
| SHA1 | bc0e3f0ed4c7cafe6ea2f3f5dba37c29ae09001b |
| SHA256 | 29a3eb803621d54deaeb8af15735808ae7e3d7204be239111cd9269827e93cee |
| SHA512 | bfca9c08ea1265cf7bf873ae9f26094a28e37ddca58b89c07aedf15266efdc2dcf7e08656d13c9c4a5d3f152f6a4d7a4ddd601a7022a5313444f69836351eb23 |
C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat
| MD5 | 433956e0a3deb552c229d63e68240d33 |
| SHA1 | c615ed52c77ca5f78dd668877f608e0ce6c637a5 |
| SHA256 | 7a93d6b1c331e4ac8c0c8ae19f8fdf5fb9ed3ec3fa29e29dc113978f575d4227 |
| SHA512 | 0fe1c8a4af7e48ae1a43cffc136b730a46f57f1c44fc9b52e71675af25bc111ed551b35432c2a133f9edf5eb5039b84b8d962df1bc220e4a723851f6b78c1a8b |
memory/1820-259-0x0000000003080000-0x00000000035C2000-memory.dmp
memory/2924-287-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-298-0x0000000003000000-0x000000000300A000-memory.dmp
memory/2924-297-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-293-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-327-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/1364-332-0x0000000000E70000-0x0000000000F2C000-memory.dmp
memory/2924-339-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/1520-345-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-346-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-348-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-349-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-352-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-353-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-354-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-350-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-355-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-357-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-347-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-359-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-358-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-360-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-363-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-364-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-365-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/2924-368-0x0000000003010000-0x000000000301A000-memory.dmp
memory/1520-369-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-367-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-370-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-374-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-378-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-376-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-373-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/1520-371-0x0000000001B90000-0x00000000020D2000-memory.dmp
memory/2924-390-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-389-0x0000000003010000-0x000000000301A000-memory.dmp
memory/3044-392-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-394-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-399-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-400-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-402-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-401-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-403-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-404-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/2924-416-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/3044-420-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-421-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-422-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/3044-423-0x0000000001C60000-0x00000000021A2000-memory.dmp
memory/2924-415-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-481-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-493-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-494-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-496-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-495-0x0000000003E90000-0x0000000003E9A000-memory.dmp
memory/2924-497-0x0000000003E90000-0x0000000003E9A000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 840 wrote to memory of 4332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 840 wrote to memory of 4332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 840 wrote to memory of 4332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 3280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 3280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3552 wrote to memory of 3280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\lDerpvVTsgA.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\auBVPavMwbA.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win10v2004-20240508-en
Max time kernel
121s
Max time network
53s
Command Line
Signatures
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\b6853ce52f7d6144b04e5ff97658e701.sys | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
Stops running service(s)
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| N/A | N/A | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| N/A | N/A | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| N/A | N/A | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\60cb5ebb756c8327d6337bbd6d4e0c80.ico | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\nspr4.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\softokn3.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service_64.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\nss3.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\mozcrt19.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\WBE_uninstall.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\d44676e41aa285b35ad6810c42d46501 | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\plc4.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\plds4.dll | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\39f45794e48e2f59e28c85f2268ab99f.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service_64.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\kmeuigdmybpidnoh.kmeui | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| File created | C:\Windows\39f45794e48e2f59e28c85f2268ab99f.exe | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
| File created | C:\Windows\uninstaller.dat | C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\JScriptSetScriptStateStarted = "240622046" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\wscript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9 | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9\LocalService = "8851a48e15ac572110fe90b5c9102a7c" | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270 | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270\Blob = 03000000010000001400000028e4ba8454126140a8672cb55b8734cb00e5c27020000000010000000803000030820304308201eca003020102021100de9dc013d6f07f9412bc41817e5c6513300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c123635343332343562316362343637393320323020170d3034303631373134313133365a180f32303634303630323134313133365a302a310b300906035504061302454e311b301906035504030c1236353433323435623163623436373933203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101005f4efcbf1ae43150ec248af4e45e27219e1d0c862fa7fd1114c50c97112ab75c690bffb2fad011652989589d023c972f573b606cff2a987fa48d9ae9e7bb3f3e11b28065af28ef8e752d6b7ccecf0ca9fcabbda15475a7a1b7c3e2b25e0340d0bdf0fa8a775ad35a5ea6efccc5a96cd6217776d00e1cf04bb3ef60ef2e8643a959c64744ff726c85dfe3af79a3c45cf53101765af84d44e5a1c469132d93be0e024e6a9ca33debf51e90ddded06483ab331d4c4d0599a85356758c6741b0be90041741bceffe18bb5476fd2c9d3cd0547b39b3d78064513f79800c6f8ff95c722bf22bb4ac9c5910bb99a83582b98b88b222f3eba71a8fefc874f9249410cbc8 | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270 | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270 | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270\Blob = 03000000010000001400000028e4ba8454126140a8672cb55b8734cb00e5c27020000000010000000803000030820304308201eca003020102021100de9dc013d6f07f9412bc41817e5c6513300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c123635343332343562316362343637393320323020170d3034303631373134313133365a180f32303634303630323134313133365a302a310b300906035504061302454e311b301906035504030c1236353433323435623163623436373933203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101005f4efcbf1ae43150ec248af4e45e27219e1d0c862fa7fd1114c50c97112ab75c690bffb2fad011652989589d023c972f573b606cff2a987fa48d9ae9e7bb3f3e11b28065af28ef8e752d6b7ccecf0ca9fcabbda15475a7a1b7c3e2b25e0340d0bdf0fa8a775ad35a5ea6efccc5a96cd6217776d00e1cf04bb3ef60ef2e8643a959c64744ff726c85dfe3af79a3c45cf53101765af84d44e5a1c469132d93be0e024e6a9ca33debf51e90ddded06483ab331d4c4d0599a85356758c6741b0be90041741bceffe18bb5476fd2c9d3cd0547b39b3d78064513f79800c6f8ff95c722bf22bb4ac9c5910bb99a83582b98b88b222f3eba71a8fefc874f9249410cbc8 | C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe"
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js" "C:\Users\Admin\AppData\Local\Temp\nso4363.tmp" "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js"
C:\Windows\SysWOW64\sc.exe
sc create -- binPath= ""C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe" /wl 1"
C:\Windows\SysWOW64\net.exe
net start --
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start --
C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe /wl 1
C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Windows\TEMP\auBVPavMwbA.js" "C:\Windows\TEMP\nsg49DB.tmp" "C:\Windows\TEMP\auBVPavMwbA.js"
C:\Windows\SysWOW64\sc.exe
sc delete --
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32
C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64
C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" --install_updater 0
C:\Windows\SysWOW64\sc.exe
sc create 4751186987c488b730105857f007e3b1 binPath= "rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe" start= auto
C:\Windows\SysWOW64\sc.exe
sc failure 4751186987c488b730105857f007e3b1 reset= 30 actions= restart/5000
C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" --install
C:\Windows\SysWOW64\sc.exe
sc create b6853ce52f7d6144b04e5ff97658e701 binpath= system32\drivers\b6853ce52f7d6144b04e5ff97658e701.sys DisplayName= b6853ce52f7d6144b04e5ff97658e701 type= kernel start= system group= PNP_TDI
C:\Windows\SysWOW64\sc.exe
sc start b6853ce52f7d6144b04e5ff97658e701
C:\Windows\SysWOW64\sc.exe
sc create 8851a48e15ac572110fe90b5c9102a7c displayname= 8851a48e15ac572110fe90b5c9102a7c binPath= "C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" start= auto depend= RPCSS
C:\Windows\SysWOW64\sc.exe
sc start 4751186987c488b730105857f007e3b1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe
C:\Windows\SysWOW64\sc.exe
sc failure 8851a48e15ac572110fe90b5c9102a7c reset= 60 actions= restart/5000/restart/5000/restart/5000
C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Windows\kmeuigdmybpidnoh.kmeui EXMe perform_update
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start b6853ce52f7d6144b04e5ff97658e701
C:\Windows\system32\net.exe
net start b6853ce52f7d6144b04e5ff97658e701
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start b6853ce52f7d6144b04e5ff97658e701
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start 8851a48e15ac572110fe90b5c9102a7c
C:\Windows\system32\net.exe
net start 8851a48e15ac572110fe90b5c9102a7c
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start 8851a48e15ac572110fe90b5c9102a7c
C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
| US | 8.8.8.8:53 | mansactechnology.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\lDerpvVTsgA.dll
| MD5 | e4bdc739307f32b968e32fcebc9c01f6 |
| SHA1 | 5f3d406f01579e3e8a67c05d2e31ec369e14604c |
| SHA256 | 17d489476f1f2fbe95a5ddb2a95a788528db842153c5582457133a79eb0756e0 |
| SHA512 | 494ab1baf1ba59aa6cb4209dae8d493b784d289c74ba66b34d826aebb4014bb2fdfa3f30680650408048d9197cab5b945936c36cac9529c220048cef4704224e |
C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\CCGylfvpPId.dll
| MD5 | 41061901c1afc95553800c7203a31cd0 |
| SHA1 | 38fc9f859502166bf5e356b8820ed6a48b060f6d |
| SHA256 | cc0dc4f6b1bf6627532a8c8ab42ad087f3302000632d22713950f0a8c95e8f05 |
| SHA512 | c54f0bf158938fa332d482b1190e66cc7856465080fbddc5f7b95ff1f00491d29fa28c49854e6dda73a8e1e11cf2e845754033eb5cfe77327e1625039946c2eb |
C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\gHbMwlFrsMB.dll
| MD5 | 31eafd1f2c5bceb7761b52ea85cf6c26 |
| SHA1 | 51045a6eeddc1832a9a71fe95bb746192b1bbb2b |
| SHA256 | 27e62f38be7bd86e3144888e68ae6dd3cd9afccce244825929409b4e94623dd6 |
| SHA512 | 4aa675ad91e655cb36adabab706d9af07b91e1b0d71799f0a4068f02765d6010cdc15ef59eb15758e569cede0161d5e8797f4f39b7dcbfb97b95770acc18e4a8 |
memory/1348-21-0x0000000000400000-0x00000000015DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js
| MD5 | a35b87106725234045494a6404a003f9 |
| SHA1 | f4d1a2529a271946382c17132a5ebea6449a753f |
| SHA256 | 17aa4126885d2299ada9a5e3fa5c21dc52e133bfed72a25a96e0152044ea2cd4 |
| SHA512 | 7924482b9e20801dd8d7abacd6fc4d2a1f182e4f663b0a519518e33c04b482d35d17d277af1e9555f9e8a3a92e67935dabbc5302507b2924ac4cc9b34546dd17 |
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
memory/1348-37-0x0000000003930000-0x000000000393A000-memory.dmp
memory/1348-36-0x0000000003930000-0x000000000393A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\md5dll.dll
| MD5 | 7059f133ea2316b9e7e39094a52a8c34 |
| SHA1 | ee9f1487c8152d8c42fecf2efb8ed1db68395802 |
| SHA256 | 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f |
| SHA512 | 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51 |
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\nsExec.dll
| MD5 | 35200be9cf105f3defe2ae0ee44cea12 |
| SHA1 | 3f4a09eeb477d3f048cdfb848b95aa39b20d89dc |
| SHA256 | 0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527 |
| SHA512 | f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833 |
memory/1676-71-0x0000000000400000-0x00000000015DB000-memory.dmp
memory/1676-84-0x0000000002580000-0x000000000258A000-memory.dmp
memory/1676-83-0x0000000002580000-0x000000000258A000-memory.dmp
memory/1676-92-0x0000000002580000-0x000000000258A000-memory.dmp
memory/1676-106-0x0000000002580000-0x000000000258A000-memory.dmp
memory/1676-105-0x0000000002580000-0x000000000258A000-memory.dmp
C:\Windows\Temp\nsx4C11.tmp\brh.dll
| MD5 | 915ad39a9a5cac612cee374d81ff8af0 |
| SHA1 | d9f20e5174425e063194eefb18ef61ddeed14d4f |
| SHA256 | 31de470aadf7ae30d539e8296990b66a83876c9e21460e3b9e4d152e533f9e32 |
| SHA512 | 24d51ed914796d83e8b73b04fc7db18edde823e57214128106ab250e0798452c6fb2f4ad46acdf26d2d6b5ba4b0820244e97a4b3c9bef826eb6af1efd7475aa5 |
memory/1676-109-0x00000000042C0000-0x00000000043A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\brh.dat
| MD5 | 99569bc87c4b4ccfde67559bba19aab1 |
| SHA1 | 65d86fc43b1341cf6a77eb8b9a0d7abd2b93ca20 |
| SHA256 | 24872a9d09ad34ebe40ee9a7887e1b97ba90e802de36051c2faf2acaaf7fa401 |
| SHA512 | 05400259837be68853062dd7ee8c38754891c1e51871052ba8fc6a84a4461a8e4dd9c41ba230dcb04cfd8ef69e91468e979e7682b54186e313dd6b8462bed4f4 |
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\IpConfig.dll
| MD5 | a75e3775daac9958610ce1308e0bca3b |
| SHA1 | d83ce354cde527c2e20fb425415f6d4795dd4cd4 |
| SHA256 | fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720 |
| SHA512 | 48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6 |
memory/1348-173-0x0000000003930000-0x0000000003957000-memory.dmp
memory/1348-184-0x0000000003960000-0x000000000396A000-memory.dmp
memory/1348-185-0x0000000003960000-0x000000000396A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\inetc.dll
| MD5 | 1fc1fbb2c7a14b7901fc9abbd6dbef10 |
| SHA1 | 4d9ed86f31075a3d3f674ff78f39c190a4098126 |
| SHA256 | 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e |
| SHA512 | 76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2 |
C:\Windows\TEMP\nsg49DB.tmp\YdSLBLjn.gif
| MD5 | 76d55de34d422ce2d0cfd50cd69e8504 |
| SHA1 | 3840919f4b55f13cc80a8f22aacf7b7826d8572d |
| SHA256 | 207ad318eb1f2872831661e135af8f6ee17555e19cf46132d72fcd17cfe994e3 |
| SHA512 | a7727239b9cf84ade24ab21f902d43ddfbd37ed8656ee9b01c98b11db50f2c6848a931ea8f8c4e74445df1041578d04ac70185ebdaeaa5033c7b1d81b5361cd7 |
memory/1348-203-0x0000000003930000-0x000000000393A000-memory.dmp
memory/1348-204-0x0000000003960000-0x000000000396A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\MoreInfo.dll
| MD5 | bd393029cc49b415b6c9aeb8a4936516 |
| SHA1 | c67fd92fffd18941bed41bfd6ac4f3b04fd123df |
| SHA256 | 227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026 |
| SHA512 | 3bb8e5cf4bea7e8adaa62196e58fff9031f49fd4efa78e5bd3e4b9c4e9ba1523864567521793053595d90abec719761a5964ff3abe04b93b24d52e5ffa4c1f96 |
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\NSISList.dll
| MD5 | 4b0617493f32b2b5fe5e838eeb885819 |
| SHA1 | 336e84380420a9caaa9c12af7c8e530135e63c57 |
| SHA256 | df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402 |
| SHA512 | 5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143 |
memory/1348-231-0x00000000040C0000-0x00000000040E4000-memory.dmp
memory/1348-278-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-277-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-276-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-273-0x0000000005700000-0x000000000570A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\SimpleSC.dll
| MD5 | d63975ce28f801f236c4aca5af726961 |
| SHA1 | 3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9 |
| SHA256 | e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43 |
| SHA512 | 8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810 |
memory/1348-282-0x0000000005700000-0x0000000005713000-memory.dmp
memory/1348-298-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-295-0x0000000005700000-0x000000000570A000-memory.dmp
memory/880-300-0x0000000002EE0000-0x0000000003422000-memory.dmp
memory/1348-310-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-324-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-321-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-316-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-340-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-344-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-343-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-341-0x0000000005700000-0x000000000570A000-memory.dmp
C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe
| MD5 | 7e6f083c27bc2f551f37119c8833e3bf |
| SHA1 | bc0e3f0ed4c7cafe6ea2f3f5dba37c29ae09001b |
| SHA256 | 29a3eb803621d54deaeb8af15735808ae7e3d7204be239111cd9269827e93cee |
| SHA512 | bfca9c08ea1265cf7bf873ae9f26094a28e37ddca58b89c07aedf15266efdc2dcf7e08656d13c9c4a5d3f152f6a4d7a4ddd601a7022a5313444f69836351eb23 |
memory/6120-372-0x0000000001B10000-0x0000000001BCC000-memory.dmp
memory/1348-382-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-381-0x0000000005700000-0x000000000570A000-memory.dmp
memory/3108-389-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-390-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-392-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-391-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-394-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-395-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-393-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-397-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-400-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-399-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-401-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-402-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-403-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-404-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-407-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-411-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-412-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-410-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-409-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-408-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-413-0x0000000002010000-0x0000000002552000-memory.dmp
memory/3108-415-0x0000000002010000-0x0000000002552000-memory.dmp
memory/940-421-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-420-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-423-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-422-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-424-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-425-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-428-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-427-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-429-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-430-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-426-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-431-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-432-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-433-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-434-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-436-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-439-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-438-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/940-437-0x0000000002770000-0x0000000002CB2000-memory.dmp
memory/1348-460-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-485-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-482-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-480-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-525-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-531-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-528-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-526-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-532-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-543-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-542-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-545-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-544-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-546-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-547-0x0000000005700000-0x000000000570A000-memory.dmp
memory/1348-548-0x0000000005700000-0x000000000570A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2980 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2980 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2980 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2980 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2980 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2980 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2980 wrote to memory of 2976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CCGylfvpPId.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win7-20240419-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2288 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-12 14:10
Reported
2024-06-12 14:13
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4932 wrote to memory of 3756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4932 wrote to memory of 3756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4932 wrote to memory of 3756 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gHbMwlFrsMB.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |