gh0strat | 7c6c3b4d687b1e46697b497df7821e1f47d82a68fdcdf3fde48f5b358b330771

Analysis

max time kernel
147s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 21:38 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe
Size

112KB
MD5

b03889b9ebf63154d70c97cea89f13a5
SHA1

51d2cef64e6db8029d2d206f6865ad07cf36ae76
SHA256

7c6c3b4d687b1e46697b497df7821e1f47d82a68fdcdf3fde48f5b358b330771
SHA512

a5bbc9d5d5cb426eb955f728dac15f2351897712f4f766a2e5fa0334e41ddbd3d7fd59d2046e283fe3353ad625f6410292c88c58e255ff3921a2729bba394166
SSDEEP

1536:vqEA70HzLJksPEOajozLElnqiO29dJ/tHi:vXTLJkQ7zAV3NtC

Score

10^/10

gh0strat runningrat persistence rat

Malware Config

Extracted

Family

gh0strat

post.f2pool.info

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000235e2-1.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lsass\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\240644781.dll"	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1128	lsass.exe

Loads dropped DLL 3 IoCs

pid	Process
4844	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe
3080	svchost.exe
1128	lsass.exe

Creates a Windows Service
persistence

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lsass.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\lsass.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4216	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4844	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe
4844	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4844	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4844	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 888	4844	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe	91
PID 4844 wrote to memory of 888	4844	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe	91
PID 4844 wrote to memory of 888	4844	b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe	91
PID 888 wrote to memory of 4216	888	cmd.exe	93
PID 888 wrote to memory of 4216	888	cmd.exe	93
PID 888 wrote to memory of 4216	888	cmd.exe	93
PID 3080 wrote to memory of 1128	3080	svchost.exe	97
PID 3080 wrote to memory of 1128	3080	svchost.exe	97
PID 3080 wrote to memory of 1128	3080	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\b03889b9ebf63154d70c97cea89f13a5_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:4216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "lsass"
1⤵
PID:1036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "lsass"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\SysWOW64\lsass.exe
  C:\Windows\system32\lsass.exe "c:\users\admin\appdata\local\temp\240644781.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
1⤵
PID:2300

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fyN2t142gQvpgCeAAkFXMDVUCUzN0O5Q2sVCRb3eqCP9S0v3nq0RZDakiJIBgPm_fuxUlkBfVSDXuEBzyIJ2zCP6-9jKi3xF_-HG5x5B2_jp9TmmWA28y2AVFc8Sho-ykGE6YCUpr-hqc0LgedYW6UOvgzTokpuHQGRhQQT-CjqQJT3e%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Daf991cd7162a1500064f7abfc30ee1ca&TIME=20240611T225325Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640&muid=8CE4F47C62C1CBA160834AA98427395E

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fyN2t142gQvpgCeAAkFXMDVUCUzN0O5Q2sVCRb3eqCP9S0v3nq0RZDakiJIBgPm_fuxUlkBfVSDXuEBzyIJ2zCP6-9jKi3xF_-HG5x5B2_jp9TmmWA28y2AVFc8Sho-ykGE6YCUpr-hqc0LgedYW6UOvgzTokpuHQGRhQQT-CjqQJT3e%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Daf991cd7162a1500064f7abfc30ee1ca&TIME=20240611T225325Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640&muid=8CE4F47C62C1CBA160834AA98427395E HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=38DDF89FC33C6C20371EEC00C2DC6DBE; domain=.bing.com; expires=Thu, 10-Jul-2025 21:38:41 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10197E10B7C14B69A39A31F91CD92916 Ref B: LON04EDGE1009 Ref C: 2024-06-15T21:38:41Z
date: Sat, 15 Jun 2024 21:38:41 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fyN2t142gQvpgCeAAkFXMDVUCUzN0O5Q2sVCRb3eqCP9S0v3nq0RZDakiJIBgPm_fuxUlkBfVSDXuEBzyIJ2zCP6-9jKi3xF_-HG5x5B2_jp9TmmWA28y2AVFc8Sho-ykGE6YCUpr-hqc0LgedYW6UOvgzTokpuHQGRhQQT-CjqQJT3e%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Daf991cd7162a1500064f7abfc30ee1ca&TIME=20240611T225325Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640&muid=8CE4F47C62C1CBA160834AA98427395E

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fyN2t142gQvpgCeAAkFXMDVUCUzN0O5Q2sVCRb3eqCP9S0v3nq0RZDakiJIBgPm_fuxUlkBfVSDXuEBzyIJ2zCP6-9jKi3xF_-HG5x5B2_jp9TmmWA28y2AVFc8Sho-ykGE6YCUpr-hqc0LgedYW6UOvgzTokpuHQGRhQQT-CjqQJT3e%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Daf991cd7162a1500064f7abfc30ee1ca&TIME=20240611T225325Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640&muid=8CE4F47C62C1CBA160834AA98427395E HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=38DDF89FC33C6C20371EEC00C2DC6DBE; _EDGE_S=SID=229BB416A6A16187389AA089A76160C1

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=41ikQCVWsYTHRuc7NmQq-n58evcC0zg2K4mWnsZ7if4; domain=.bing.com; expires=Thu, 10-Jul-2025 21:38:41 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 487E0A3EDF0E42E3BA6B540CD86EB36D Ref B: LON04EDGE1009 Ref C: 2024-06-15T21:38:41Z
date: Sat, 15 Jun 2024 21:38:41 GMT
GET

https://www.bing.com/aes/c.gif?RG=d8f301cad33644c2ba25cb1d5622115d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T225325Z&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640

Remote address:

2.17.107.122:443

Request

GET /aes/c.gif?RG=d8f301cad33644c2ba25cb1d5622115d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T225325Z&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=38DDF89FC33C6C20371EEC00C2DC6DBE

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3E52CEB85DF64C72AF6351267E681FE8 Ref B: DUS30EDGE0313 Ref C: 2024-06-15T21:38:41Z
content-length: 0
date: Sat, 15 Jun 2024 21:38:41 GMT
set-cookie: _EDGE_S=SID=229BB416A6A16187389AA089A76160C1; path=/; httponly; domain=bing.com
set-cookie: MUIDB=38DDF89FC33C6C20371EEC00C2DC6DBE; path=/; httponly; expires=Thu, 10-Jul-2025 21:38:41 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.766b1102.1718487521.319910e2
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

114.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.83.221.88.in-addr.arpa

IN PTR

Response

114.83.221.88.in-addr.arpa

IN PTR

a88-221-83-114deploystaticakamaitechnologiescom
DNS

122.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.107.17.2.in-addr.arpa

IN PTR

Response

122.107.17.2.in-addr.arpa

IN PTR

a2-17-107-122deploystaticakamaitechnologiescom
DNS

post.f2pool.info

lsass.exe

Remote address:

8.8.8.8:53

Request

post.f2pool.info

IN A

Response

post.f2pool.info

IN A

127.0.0.1
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

21.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.121.18.2.in-addr.arpa

IN PTR

Response

21.121.18.2.in-addr.arpa

IN PTR

a2-18-121-21deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

145.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

145.83.221.88.in-addr.arpa

IN PTR

Response

145.83.221.88.in-addr.arpa

IN PTR

a88-221-83-145deploystaticakamaitechnologiescom
DNS

105.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.83.221.88.in-addr.arpa

IN PTR

Response

105.83.221.88.in-addr.arpa

IN PTR

a88-221-83-105deploystaticakamaitechnologiescom

13.107.21.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fyN2t142gQvpgCeAAkFXMDVUCUzN0O5Q2sVCRb3eqCP9S0v3nq0RZDakiJIBgPm_fuxUlkBfVSDXuEBzyIJ2zCP6-9jKi3xF_-HG5x5B2_jp9TmmWA28y2AVFc8Sho-ykGE6YCUpr-hqc0LgedYW6UOvgzTokpuHQGRhQQT-CjqQJT3e%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Daf991cd7162a1500064f7abfc30ee1ca&TIME=20240611T225325Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640&muid=8CE4F47C62C1CBA160834AA98427395E

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fyN2t142gQvpgCeAAkFXMDVUCUzN0O5Q2sVCRb3eqCP9S0v3nq0RZDakiJIBgPm_fuxUlkBfVSDXuEBzyIJ2zCP6-9jKi3xF_-HG5x5B2_jp9TmmWA28y2AVFc8Sho-ykGE6YCUpr-hqc0LgedYW6UOvgzTokpuHQGRhQQT-CjqQJT3e%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Daf991cd7162a1500064f7abfc30ee1ca&TIME=20240611T225325Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640&muid=8CE4F47C62C1CBA160834AA98427395E

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fyN2t142gQvpgCeAAkFXMDVUCUzN0O5Q2sVCRb3eqCP9S0v3nq0RZDakiJIBgPm_fuxUlkBfVSDXuEBzyIJ2zCP6-9jKi3xF_-HG5x5B2_jp9TmmWA28y2AVFc8Sho-ykGE6YCUpr-hqc0LgedYW6UOvgzTokpuHQGRhQQT-CjqQJT3e%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZm1pY3Jvc29mdC1lZGl0b3IlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Daf991cd7162a1500064f7abfc30ee1ca&TIME=20240611T225325Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640&muid=8CE4F47C62C1CBA160834AA98427395E

HTTP Response

204
2.17.107.122:443

https://www.bing.com/aes/c.gif?RG=d8f301cad33644c2ba25cb1d5622115d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T225325Z&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640

tls, http2

1.4kB
5.4kB
16
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=d8f301cad33644c2ba25cb1d5622115d&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T225325Z&adUnitId=11730597&localId=w:8CE4F47C-62C1-CBA1-6083-4AA98427395E&deviceId=6825835407638640

HTTP Response

200
127.0.0.1:8050

lsass.exe
127.0.0.1:8050

lsass.exe
127.0.0.1:8050

lsass.exe
127.0.0.1:8050

lsass.exe
127.0.0.1:8050

lsass.exe
127.0.0.1:8050

lsass.exe
127.0.0.1:8050

lsass.exe
127.0.0.1:8050

lsass.exe
127.0.0.1:8050

lsass.exe

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

114.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

114.83.221.88.in-addr.arpa
8.8.8.8:53

122.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

122.107.17.2.in-addr.arpa
8.8.8.8:53

post.f2pool.info

dns

lsass.exe

62 B
78 B
1
1

DNS Request

post.f2pool.info

DNS Response

127.0.0.1
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

21.121.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

21.121.18.2.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

145.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

145.83.221.88.in-addr.arpa
8.8.8.8:53

105.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

105.83.221.88.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240644781.dll

Filesize
37KB

MD5
a0e293ba67e126846d68fd2a401f1458

SHA1
69643cdfb2eab46c73a20b335b89df990a360fe8

SHA256
ceb1f2ee865afc433df501a66f57155ce2478f7901a05a3d11851a81e24e7d8b

SHA512
d8109bcef384554881dc7772c2b63cf6f290bcc1834716434260e26a773e62dcb38186b087f5a5a382da9c2b971862eb99af22c619cd77b69105b1ac00fb64fc

Download Submit
C:\Windows\SysWOW64\lsass.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.