Malware Analysis Report

2024-11-30 06:38

Sample ID 240612-w4s55syern
Target a1be3cbefb845eac49a0cad049876a73_JaffaCakes118
SHA256 4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd
Tags
discovery evasion spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd

Threat Level: Likely malicious

The file a1be3cbefb845eac49a0cad049876a73_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion spyware stealer

Checks for common network interception software

Enumerates VirtualBox registry keys

Looks for VirtualBox Guest Additions in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VMWare Tools registry key

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Checks system information in the registry

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Modifies system certificate store

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:28

Reported

2024-06-12 18:31

Platform

win7-20231129-en

Max time kernel

138s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"

Signatures

Checks for common network interception software

evasion

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fonts\pns.ttf C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0 C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
PID 2956 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
PID 2956 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
PID 2956 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
PID 2956 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
PID 2956 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
PID 2956 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe
PID 2956 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /test

C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /restart /util

Network

Country Destination Domain Proto
US 8.8.8.8:53 chistilka.com udp
US 8.8.8.8:53 api.amplitude.com udp
US 44.240.109.3:80 api.amplitude.com tcp
DE 80.240.18.87:80 chistilka.com tcp
US 8.8.8.8:53 stat2.chistilka.com udp
FR 54.37.81.78:443 stat2.chistilka.com tcp
US 8.8.8.8:53 chistilka.ru udp
FR 54.37.81.78:443 stat2.chistilka.com tcp
US 104.21.37.8:443 chistilka.ru tcp
US 8.8.8.8:53 i.pki.goog udp
GB 172.217.169.67:80 i.pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 44.240.109.3:80 api.amplitude.com tcp
US 8.8.8.8:53 chistilka.com udp
US 8.8.8.8:53 update.chistilka.com udp
DE 80.240.18.87:443 chistilka.com tcp
FR 5.135.140.26:443 update.chistilka.com tcp
US 44.240.109.3:80 api.amplitude.com tcp
US 8.8.8.8:53 pay.chistilka.com udp
US 172.67.172.117:443 pay.chistilka.com tcp
DE 140.82.35.84:80 140.82.35.84 tcp
FR 54.37.81.78:80 stat2.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 8.8.8.8:53 new.config.chistilka.com udp
US 8.8.8.8:53 time.google.com udp
US 44.240.109.3:80 api.amplitude.com tcp
US 104.21.37.8:443 chistilka.ru tcp
FR 54.37.81.78:443 stat2.chistilka.com tcp
FR 54.37.81.78:443 stat2.chistilka.com tcp
DE 80.240.18.87:443 chistilka.com tcp
FR 5.135.140.26:443 update.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp

Files

\ProgramData\Чистилка\Чистилка.exe

MD5 a1be3cbefb845eac49a0cad049876a73
SHA1 68f8f9ed528a21ca796fe3fa228b8e0ad1141218
SHA256 4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd
SHA512 c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk

MD5 5ad4011ed312ded0730c6e6c3b6e8ec0
SHA1 585b6955d977987f79cb26108681b79139b3804f
SHA256 a6c5fc3ef8e7518266a9e37da7bc77100c9bc29bb156646da8823ec46601ed63
SHA512 2765594f8250dbaf48d93432b7f72646f68b12af354f165a48a6b74386bee2bbacaf9e7850e35347db144d83b7bc9d71620cb7ead8a9c389f6f4e6ad83f8d772

C:\Users\Public\Desktop\Чистилка.lnk

MD5 878065c613c8c619e684dcf2fdef55bb
SHA1 33f3c592603b472e817f7ffdbbe201ce4e10a4b5
SHA256 02d9447bea51c58af833a9d3f1fb4439765dbc5d941ec2ff2145059c24baf998
SHA512 70828d9f36a5e481566da00cf4c688b2586798637141edc08348e007061791700ca3e6c81de085bb2f82f2ae96373a05662cef49e61bf8a368e18c508d53e1de

memory/2956-49-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

MD5 d7ebb78bf1f0e4a8278b2d63013b1134
SHA1 498b315dcba9bf4403d6748be61453d5d8991b61
SHA256 c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512 ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

memory/2956-66-0x0000000000A40000-0x0000000000F9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\clnEC3.tmp

MD5 abee4387ab69da821ed9397cc651597d
SHA1 5d14f4afdbe15448bf884b528ffffab874f920a7
SHA256 ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22
SHA512 e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904

C:\ProgramData\Чистилка\settings.json

MD5 bfda7ae0084bf200cca8abb94c0e46a2
SHA1 d8bcefd54c862290862f6d06edaef226c8fd7911
SHA256 392d65add004805bbe7346e85f8f802dcfddcfe6302e047ccee1b02881d8a136
SHA512 f36d2266bc23d8979bac56d99d3aa2e59b386ec6df3758396831c48efdd829247460e6fb685f5139dac5ea98d42b34195f1f62e8cedfa5dc797ac24a8882e1af

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:28

Reported

2024-06-12 18:31

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"

Signatures

Checks for common network interception software

evasion

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fonts\pns.ttf C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0 C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /test

C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe" /restart /util

Network

Country Destination Domain Proto
US 8.8.8.8:53 chistilka.com udp
US 8.8.8.8:53 api.amplitude.com udp
DE 80.240.18.87:80 chistilka.com tcp
US 52.89.33.48:80 api.amplitude.com tcp
US 8.8.8.8:53 stat2.chistilka.com udp
FR 54.37.81.78:443 stat2.chistilka.com tcp
US 8.8.8.8:53 chistilka.ru udp
FR 54.37.81.78:443 stat2.chistilka.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 172.67.202.42:443 chistilka.ru tcp
US 8.8.8.8:53 chistilka.com udp
US 52.89.33.48:80 api.amplitude.com tcp
US 8.8.8.8:53 update.chistilka.com udp
DE 80.240.18.87:443 chistilka.com tcp
FR 5.135.140.26:443 update.chistilka.com tcp
BE 88.221.83.219:443 www.bing.com tcp
US 52.89.33.48:80 api.amplitude.com tcp
US 8.8.8.8:53 pay.chistilka.com udp
DE 140.82.35.84:80 140.82.35.84 tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 87.18.240.80.in-addr.arpa udp
US 8.8.8.8:53 78.81.37.54.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 42.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.140.135.5.in-addr.arpa udp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
FR 54.37.81.78:80 stat2.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 84.35.82.140.in-addr.arpa udp
US 8.8.8.8:53 117.172.67.172.in-addr.arpa udp
US 8.8.8.8:53 new.config.chistilka.com udp
US 8.8.8.8:53 time.google.com udp
US 52.89.33.48:80 api.amplitude.com tcp
US 172.67.202.42:443 chistilka.ru tcp
FR 54.37.81.78:443 stat2.chistilka.com tcp
FR 54.37.81.78:443 stat2.chistilka.com tcp
DE 80.240.18.87:443 chistilka.com tcp
FR 5.135.140.26:443 update.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 8.8.8.8:53 0.35.239.216.in-addr.arpa udp
US 172.67.172.117:443 pay.chistilka.com tcp
US 172.67.172.117:443 pay.chistilka.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 195.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\ProgramData\Чистилка\Чистилка.exe

MD5 a1be3cbefb845eac49a0cad049876a73
SHA1 68f8f9ed528a21ca796fe3fa228b8e0ad1141218
SHA256 4a0d89026fc07bec802a4be7341353f3945685075c3e4023b3403c3d7c51e8cd
SHA512 c5238ff3595869b8fdf4a8194bf4e9f6ea7ae3e96ea802d368d6d44d89512fe04457b5c9da390b66ec4435cfbc40167c1b3f04c710322ea3611cf0b5b33f904e

C:\Users\Public\Desktop\Чистилка.lnk

MD5 77106b36ec3d6c7ee4f5b69c1110169b
SHA1 bb6495448f765e40fd157a47d8774bf579677e22
SHA256 817f836d1023d2d7b926858bc3d3b1b5013143c106c8e511c317825d0f914a5e
SHA512 57ac6d511a8c3c2cb722fae7cb2f7476ef23870c0ff065b86eb4137d1dba6fba6fe159a7e09b84578b80faaf9a4a9bd83776b947578a7f48335a2ee154b71d2a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk

MD5 02a123f9c35fd77b52145ec8686b5b19
SHA1 f09e4058be4e1b07b6317e8219a38ba9a8ed2acc
SHA256 585ab48e10fc363d6e10310796c60438232dafb645834774d7c49e707001b3d8
SHA512 008b74e359392263067bd0475b264d7490c7c5946890e1ad83753e57c2cd82a7a380a3bc642eed1e42f2efb9bc5cb8dfe6e77bdac99bc643f58a298b9db99fb3

C:\Users\Admin\AppData\Local\Temp\a1be3cbefb845eac49a0cad049876a73_JaffaCakes118.exe

MD5 d7ebb78bf1f0e4a8278b2d63013b1134
SHA1 498b315dcba9bf4403d6748be61453d5d8991b61
SHA256 c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512 ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

C:\Users\Admin\AppData\Local\Temp\cln36EF.tmp

MD5 abee4387ab69da821ed9397cc651597d
SHA1 5d14f4afdbe15448bf884b528ffffab874f920a7
SHA256 ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22
SHA512 e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904

memory/2416-43-0x00000000009E0000-0x0000000000F3B000-memory.dmp

C:\ProgramData\Чистилка\settings.json

MD5 bfda7ae0084bf200cca8abb94c0e46a2
SHA1 d8bcefd54c862290862f6d06edaef226c8fd7911
SHA256 392d65add004805bbe7346e85f8f802dcfddcfe6302e047ccee1b02881d8a136
SHA512 f36d2266bc23d8979bac56d99d3aa2e59b386ec6df3758396831c48efdd829247460e6fb685f5139dac5ea98d42b34195f1f62e8cedfa5dc797ac24a8882e1af

C:\WINDOWS\FONTS\PNS.TTF

MD5 df8c626474a73ab7a8b511655597c7c4
SHA1 5de28f387ea88553d195d1978286d43c33231969
SHA256 723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5
SHA512 c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59