Analysis Overview
SHA256
2da7bf2b0c2732e79a32235ba8448a9f1d24c1faa9490161536919bb8227c7a5
Threat Level: Likely malicious
The file aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Looks for VirtualBox Guest Additions in registry
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Reads user/profile data of web browsers
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Checks system information in the registry
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 14:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 14:48
Reported
2024-06-14 14:51
Platform
win7-20240611-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Чистилка\Чистилка.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\fonts\pns.ttf | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Чистилка\Чистилка.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\ProgramData\Чистилка\Чистилка.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Чистилка\Чистилка.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe"
C:\ProgramData\Чистилка\Чистилка.exe
C:\ProgramData\Чистилка\Чистилка.exe /srvcreate
C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe" /test
C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe" /restart /util
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chistilka.com | udp |
| DE | 80.240.18.87:443 | chistilka.com | tcp |
| US | 8.8.8.8:53 | pay.chistilka.com | udp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 8.8.8.8:53 | chistilka.ru | udp |
| US | 188.114.96.2:443 | chistilka.ru | tcp |
| US | 8.8.8.8:53 | time.google.com | udp |
| US | 8.8.8.8:53 | stat2.chistilka.com | udp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| US | 216.239.38.178:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | update.chistilka.com | udp |
| FR | 5.135.140.26:443 | update.chistilka.com | tcp |
| DE | 80.240.18.87:443 | chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| DE | 140.82.35.84:80 | 140.82.35.84 | tcp |
| US | 8.8.8.8:53 | new.config.chistilka.com | udp |
| US | 8.8.8.8:53 | api.amplitude.com | udp |
| US | 52.37.201.186:80 | api.amplitude.com | tcp |
| US | 188.114.96.2:443 | chistilka.ru | tcp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| FR | 54.37.81.78:443 | stat2.chistilka.com | tcp |
| DE | 80.240.18.87:443 | chistilka.com | tcp |
| FR | 5.135.140.26:443 | update.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
| US | 104.21.47.204:443 | pay.chistilka.com | tcp |
Files
\ProgramData\Чистилка\Чистилка.exe
| MD5 | aa41ba0a367948e18f682f90c32efcb3 |
| SHA1 | 77a62b5ab8ebbede1f6793ec42a6d0991091f3d4 |
| SHA256 | 2da7bf2b0c2732e79a32235ba8448a9f1d24c1faa9490161536919bb8227c7a5 |
| SHA512 | 14606232eba3d1396facfeb86e7fe27947213a9dbb19d5a2639ffe41743394ed7a0ce504f74d0a1d285ff63b09b07289d2f78f1d04336e30bf821f1a4f8a179e |
C:\Users\Public\Desktop\Чистилка.lnk
| MD5 | b22fe742ef1b240b92708e927e036ce5 |
| SHA1 | 587134c1bc083f3eb582aea54f21af9e4c1d01a3 |
| SHA256 | 976c1ee785207ac1e58b8e036571c41e2994cdb588ad3251916e091740f9cc05 |
| SHA512 | 660f381037cc1c0b38ab74165396a78f6cf44ad97b0d027293675b868bd1311c0fbfc2dca3b5edbf052e6e5d3274fc9ae205e2066d95d0ea4fa4a721bbd25d82 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk
| MD5 | abd4953459070ff0b9b98728204b8829 |
| SHA1 | 320c021c47020e9567dc7b56070291fe3f97fba4 |
| SHA256 | 6d7580bc799a635b89cf892fa35acc51b207c122b9e6226c6e39dc6446d5ffef |
| SHA512 | 0fd775646b183f25344736236af11e1efe6c46e039566e4619abe69758c7d7620b31f6a6fbdc4253528756dc815b48955f0122d34a027e0ad576e93dc88f3a05 |
memory/1152-39-0x00000000007B0000-0x00000000007B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
| MD5 | d7ebb78bf1f0e4a8278b2d63013b1134 |
| SHA1 | 498b315dcba9bf4403d6748be61453d5d8991b61 |
| SHA256 | c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8 |
| SHA512 | ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312 |
memory/1152-62-0x0000000000080000-0x00000000004DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cln85F3.tmp
| MD5 | abee4387ab69da821ed9397cc651597d |
| SHA1 | 5d14f4afdbe15448bf884b528ffffab874f920a7 |
| SHA256 | ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22 |
| SHA512 | e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904 |
memory/1152-69-0x0000000000080000-0x00000000004DE000-memory.dmp
C:\ProgramData\Чистилка\settings.json
| MD5 | 7b1f4611fde318efe702102a65a7cf37 |
| SHA1 | 3b6b25f7858135a903f06e4236d4d288179c32b8 |
| SHA256 | 0fee7a989e4db82caa219cc5663e97678e1162267a7a170002755390716068f2 |
| SHA512 | d4e66fe6fb5265452ec3f66e36461c1707808881a6371a9caf6a074f0a17f3af3e89bb66db2ebc16fa9361d569afef6d3cf9287914728a86e7bc8800fad9fbbc |
C:\ProgramData\Чистилка\config.dat
| MD5 | 614b62170e585ef6485ff11b62441985 |
| SHA1 | c9f5c8afe4440d65f0dead368e059bb9264e17f4 |
| SHA256 | c963b78a3afddf9a2ec30eb521b6b957721954a1e234c94a29f816bc4d9600ba |
| SHA512 | b9d35c00109c72238b5b04d415c1891a11c53ec4ccbf0981f007981f73dad027637718c2f2369433e3e306510aad07030832000e820ceedc896912a1fd25f546 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 14:48
Reported
2024-06-14 14:51
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Чистилка\Чистилка.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\fonts\pns.ttf | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Чистилка\Чистилка.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\ProgramData\Чистилка\Чистилка.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Чистилка\Чистилка.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3196 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | C:\ProgramData\Чистилка\Чистилка.exe |
| PID 3196 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | C:\ProgramData\Чистилка\Чистилка.exe |
| PID 3196 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe | C:\ProgramData\Чистилка\Чистилка.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe"
C:\ProgramData\Чистилка\Чистилка.exe
C:\ProgramData\Чистилка\Чистилка.exe /srvcreate
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chistilka.com | udp |
| DE | 140.82.35.84:80 | tcp | |
| US | 8.8.8.8:53 | pay.chistilka.com | udp |
| DE | 140.82.35.84:80 | tcp | |
| US | 8.8.8.8:53 | chistilka.ru | udp |
| US | 8.8.8.8:53 | time.google.com | udp |
| DE | 140.82.35.84:80 | tcp | |
| DE | 140.82.35.84:80 | tcp | |
| DE | 140.82.35.84:80 | tcp | |
| DE | 140.82.35.84:80 | tcp | |
| US | 8.8.8.8:53 | chistilka.ru | udp |
| US | 8.8.8.8:53 | pay.chistilka.com | udp |
| US | 8.8.8.8:53 | update.chistilka.com | udp |
| US | 8.8.8.8:53 | stat2.chistilka.com | udp |
| DE | 140.82.35.84:80 | tcp | |
| DE | 140.82.35.84:80 | tcp | |
| DE | 140.82.35.84:80 | tcp | |
| DE | 140.82.35.84:80 | tcp | |
| US | 8.8.8.8:53 | stat2.chistilka.com | udp |
| US | 8.8.8.8:53 | update.chistilka.com | udp |
| DE | 140.82.35.84:80 | tcp |
Files
C:\ProgramData\Чистилка\Чистилка.exe
| MD5 | aa41ba0a367948e18f682f90c32efcb3 |
| SHA1 | 77a62b5ab8ebbede1f6793ec42a6d0991091f3d4 |
| SHA256 | 2da7bf2b0c2732e79a32235ba8448a9f1d24c1faa9490161536919bb8227c7a5 |
| SHA512 | 14606232eba3d1396facfeb86e7fe27947213a9dbb19d5a2639ffe41743394ed7a0ce504f74d0a1d285ff63b09b07289d2f78f1d04336e30bf821f1a4f8a179e |
C:\Users\Public\Desktop\Чистилка.lnk
| MD5 | be3468c8e210cd743b5ab9710593baff |
| SHA1 | f862d1b0aaa0e7c36afbbd1f934b59da4b1ea586 |
| SHA256 | 3222cc5c3bcf2dd8f097063768ee59f0669e29e99c1de3ca37bbfe5265208c26 |
| SHA512 | 3336298ddc9b116e7d1efae059720771df954dee1cbd54c3e0bc4e6083324a66a444db822aca8ebf5d1ff9a1847fa4e69b09362cd0f4518d9a3bc04989242c94 |