Malware Analysis Report

2024-09-23 11:51

Sample ID 240614-r6wxlaveqh
Target aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118
SHA256 2da7bf2b0c2732e79a32235ba8448a9f1d24c1faa9490161536919bb8227c7a5
Tags
bootkit discovery evasion persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2da7bf2b0c2732e79a32235ba8448a9f1d24c1faa9490161536919bb8227c7a5

Threat Level: Likely malicious

The file aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion persistence spyware stealer

Looks for VirtualBox Guest Additions in registry

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of web browsers

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Checks system information in the registry

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 14:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 14:48

Reported

2024-06-14 14:51

Platform

win7-20240611-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe"

Signatures

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fonts\pns.ttf C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\ProgramData\Чистилка\Чистилка.exe
PID 1152 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\ProgramData\Чистилка\Чистилка.exe
PID 1152 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\ProgramData\Чистилка\Чистилка.exe
PID 1152 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\ProgramData\Чистилка\Чистилка.exe
PID 1152 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
PID 1152 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
PID 1152 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
PID 1152 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
PID 1152 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
PID 1152 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
PID 1152 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe
PID 1152 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe"

C:\ProgramData\Чистилка\Чистилка.exe

C:\ProgramData\Чистилка\Чистилка.exe /srvcreate

C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe" /test

C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe" /restart /util

Network

Country Destination Domain Proto
US 8.8.8.8:53 chistilka.com udp
DE 80.240.18.87:443 chistilka.com tcp
US 8.8.8.8:53 pay.chistilka.com udp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 8.8.8.8:53 chistilka.ru udp
US 188.114.96.2:443 chistilka.ru tcp
US 8.8.8.8:53 time.google.com udp
US 8.8.8.8:53 stat2.chistilka.com udp
FR 54.37.81.78:443 stat2.chistilka.com tcp
US 216.239.38.178:80 www.google-analytics.com tcp
US 8.8.8.8:53 update.chistilka.com udp
FR 5.135.140.26:443 update.chistilka.com tcp
DE 80.240.18.87:443 chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
DE 140.82.35.84:80 140.82.35.84 tcp
US 8.8.8.8:53 new.config.chistilka.com udp
US 8.8.8.8:53 api.amplitude.com udp
US 52.37.201.186:80 api.amplitude.com tcp
US 188.114.96.2:443 chistilka.ru tcp
FR 54.37.81.78:443 stat2.chistilka.com tcp
FR 54.37.81.78:443 stat2.chistilka.com tcp
DE 80.240.18.87:443 chistilka.com tcp
FR 5.135.140.26:443 update.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp
US 104.21.47.204:443 pay.chistilka.com tcp

Files

\ProgramData\Чистилка\Чистилка.exe

MD5 aa41ba0a367948e18f682f90c32efcb3
SHA1 77a62b5ab8ebbede1f6793ec42a6d0991091f3d4
SHA256 2da7bf2b0c2732e79a32235ba8448a9f1d24c1faa9490161536919bb8227c7a5
SHA512 14606232eba3d1396facfeb86e7fe27947213a9dbb19d5a2639ffe41743394ed7a0ce504f74d0a1d285ff63b09b07289d2f78f1d04336e30bf821f1a4f8a179e

C:\Users\Public\Desktop\Чистилка.lnk

MD5 b22fe742ef1b240b92708e927e036ce5
SHA1 587134c1bc083f3eb582aea54f21af9e4c1d01a3
SHA256 976c1ee785207ac1e58b8e036571c41e2994cdb588ad3251916e091740f9cc05
SHA512 660f381037cc1c0b38ab74165396a78f6cf44ad97b0d027293675b868bd1311c0fbfc2dca3b5edbf052e6e5d3274fc9ae205e2066d95d0ea4fa4a721bbd25d82

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk

MD5 abd4953459070ff0b9b98728204b8829
SHA1 320c021c47020e9567dc7b56070291fe3f97fba4
SHA256 6d7580bc799a635b89cf892fa35acc51b207c122b9e6226c6e39dc6446d5ffef
SHA512 0fd775646b183f25344736236af11e1efe6c46e039566e4619abe69758c7d7620b31f6a6fbdc4253528756dc815b48955f0122d34a027e0ad576e93dc88f3a05

memory/1152-39-0x00000000007B0000-0x00000000007B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe

MD5 d7ebb78bf1f0e4a8278b2d63013b1134
SHA1 498b315dcba9bf4403d6748be61453d5d8991b61
SHA256 c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512 ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312

memory/1152-62-0x0000000000080000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cln85F3.tmp

MD5 abee4387ab69da821ed9397cc651597d
SHA1 5d14f4afdbe15448bf884b528ffffab874f920a7
SHA256 ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22
SHA512 e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904

memory/1152-69-0x0000000000080000-0x00000000004DE000-memory.dmp

C:\ProgramData\Чистилка\settings.json

MD5 7b1f4611fde318efe702102a65a7cf37
SHA1 3b6b25f7858135a903f06e4236d4d288179c32b8
SHA256 0fee7a989e4db82caa219cc5663e97678e1162267a7a170002755390716068f2
SHA512 d4e66fe6fb5265452ec3f66e36461c1707808881a6371a9caf6a074f0a17f3af3e89bb66db2ebc16fa9361d569afef6d3cf9287914728a86e7bc8800fad9fbbc

C:\ProgramData\Чистилка\config.dat

MD5 614b62170e585ef6485ff11b62441985
SHA1 c9f5c8afe4440d65f0dead368e059bb9264e17f4
SHA256 c963b78a3afddf9a2ec30eb521b6b957721954a1e234c94a29f816bc4d9600ba
SHA512 b9d35c00109c72238b5b04d415c1891a11c53ec4ccbf0981f007981f73dad027637718c2f2369433e3e306510aad07030832000e820ceedc896912a1fd25f546

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 14:48

Reported

2024-06-14 14:51

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Чистилка\Чистилка.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fonts\pns.ttf C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Чистилка\Чистилка.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Чистилка\Чистилка.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Чистилка\Чистилка.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aa41ba0a367948e18f682f90c32efcb3_JaffaCakes118.exe"

C:\ProgramData\Чистилка\Чистилка.exe

C:\ProgramData\Чистилка\Чистилка.exe /srvcreate

Network

Country Destination Domain Proto
US 8.8.8.8:53 chistilka.com udp
DE 140.82.35.84:80 tcp
US 8.8.8.8:53 pay.chistilka.com udp
DE 140.82.35.84:80 tcp
US 8.8.8.8:53 chistilka.ru udp
US 8.8.8.8:53 time.google.com udp
DE 140.82.35.84:80 tcp
DE 140.82.35.84:80 tcp
DE 140.82.35.84:80 tcp
DE 140.82.35.84:80 tcp
US 8.8.8.8:53 chistilka.ru udp
US 8.8.8.8:53 pay.chistilka.com udp
US 8.8.8.8:53 update.chistilka.com udp
US 8.8.8.8:53 stat2.chistilka.com udp
DE 140.82.35.84:80 tcp
DE 140.82.35.84:80 tcp
DE 140.82.35.84:80 tcp
DE 140.82.35.84:80 tcp
US 8.8.8.8:53 stat2.chistilka.com udp
US 8.8.8.8:53 update.chistilka.com udp
DE 140.82.35.84:80 tcp

Files

C:\ProgramData\Чистилка\Чистилка.exe

MD5 aa41ba0a367948e18f682f90c32efcb3
SHA1 77a62b5ab8ebbede1f6793ec42a6d0991091f3d4
SHA256 2da7bf2b0c2732e79a32235ba8448a9f1d24c1faa9490161536919bb8227c7a5
SHA512 14606232eba3d1396facfeb86e7fe27947213a9dbb19d5a2639ffe41743394ed7a0ce504f74d0a1d285ff63b09b07289d2f78f1d04336e30bf821f1a4f8a179e

C:\Users\Public\Desktop\Чистилка.lnk

MD5 be3468c8e210cd743b5ab9710593baff
SHA1 f862d1b0aaa0e7c36afbbd1f934b59da4b1ea586
SHA256 3222cc5c3bcf2dd8f097063768ee59f0669e29e99c1de3ca37bbfe5265208c26
SHA512 3336298ddc9b116e7d1efae059720771df954dee1cbd54c3e0bc4e6083324a66a444db822aca8ebf5d1ff9a1847fa4e69b09362cd0f4518d9a3bc04989242c94