Malware Analysis Report

2025-03-15 00:57

Sample ID 240626-l12m1ayhlb
Target 119aaa372d0901515c8f5555ef04359c_JaffaCakes118
SHA256 41a172ec0f296a206c693534a2186ba8f5dad0835f19317eb96e495b3e511096
Tags
defense_evasion evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41a172ec0f296a206c693534a2186ba8f5dad0835f19317eb96e495b3e511096

Threat Level: Known bad

The file 119aaa372d0901515c8f5555ef04359c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Adds policy Run key to start application

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 10:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 10:00

Reported

2024-06-26 10:03

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Windows\SysWOW64\REG.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 2868 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 2868 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 2868 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 2868 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2868 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2868 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2868 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2512 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2512 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2512 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2512 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2512 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2804 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2804 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2804 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2672 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2672 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2672 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2672 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2804 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2804 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2804 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2804 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2672 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2672 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2672 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2672 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2664 wrote to memory of 2712 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2664 wrote to memory of 2712 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2664 wrote to memory of 2712 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2664 wrote to memory of 2712 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2664 wrote to memory of 1176 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1176 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1176 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1176 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1176 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1176 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1176 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1176 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1176 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1176 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1176 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2512 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2512 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2512 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2512 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2664 wrote to memory of 2952 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2664 wrote to memory of 2952 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2664 wrote to memory of 2952 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2664 wrote to memory of 2952 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 013c8d1a12c99688b5d8b1616261ef2e
SHA1 14fdc8aaaf39e1fa6641bf68d1e8f718b47566f4
SHA256 25f4e8b7d30c3a01254d472fdc153ef6080f57d6a68d9514f906db8a2af40cd5
SHA512 eb18c84010928eb0c0861811c929cd1d5e141a451d6dfc96c0482488f2bf67c637b1993ddf8432ea390de4bae3d177c500ebe93c67e22a76994645b181356ab2

C:\Windows\hosts.exe

MD5 86d54c4e801c82ed12020eba678a0c3d
SHA1 d00b0ccac771a4895ef4bf23a41a8fcfbcef32e7
SHA256 47f092937ed03f04a91a0105ef4f76dd86b1d3db3ea0f4947cb3bbb51271b254
SHA512 d288f9a68d6c3413dd732ef44b750a37d91578b90a94bb4d87759efd33d74e241e991dc3dd6fd007d2b3785a546f38b403f03f0255cc9d4a539dc1e0ba86b4f8

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

C:\Windows\W_X_C.vbs

MD5 953cf5c915c9c58501354c4826dea466
SHA1 2934232a159f5c3738212aa3ece4cdd45ba8cfe4
SHA256 bbdb3fb588b1aca990fbc6355f577bdd40c60e69d9951142da5e8dc84e0b33ed
SHA512 77472ee7f75bee37380d22c14e698b07240c0177b1b4850b72b5ee05136cf17ac3e391b26c6876bfed15049326cd0e2717d0f1de8c4fffba4cd83446218c3147

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 c431bc744cfbb85feb9678cf865f244b
SHA1 342c1d30e391a2a9a3a6ae39f93880bedc5b5ea1
SHA256 704185609596a555ba9e1865cfafef71b5237467124e440f58261701b7beb133
SHA512 67ca2e14cad1c167666dd4756c9386dac7a1e0a9b9767e23be8787e81e96085bc39d031a27dd8611b516c791434bb09b81c671a8c8c8a0521347258c11ce30f4

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 3b49a5581c3ed6210efceb0d06105c37
SHA1 58e7e6e78a3fcba17937e3d4f982130d4548aa6f
SHA256 eb5f6fd5b32a91052a2b37e65effd76bbc44ff9538f39cf15ccce96f4cd239fc
SHA512 a18aaf93885c028be0d0883e95dcded1dc02a0c6c9798e5d97f1ba0ec1ad13bfc2e2dfb5c340c7c973a29f89d0af336bd67f4c02a5fbd02810da4adc6ea6d4b1

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 5889ffa844a00368d3096bd0603e3f3c
SHA1 5b54d95244bc4de72a474603229becc9ece54259
SHA256 acda67924344ffa381e92844de633355b8a485431ebb3d435bab5e48fecba1b5
SHA512 47acac2d1dee7f7dd56a9fb322e25bf36f023fbc014b849189f2b23e639a7b015d67d60974489be8ded6b3a7b097d5bfc54004f0a9e8ce5afaed9651f9c7225a

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 7cde3d52f8d2fede6f2893e4d6f70f03
SHA1 228634dab63379db3ea3c9f95a82b7d6cb8453ab
SHA256 c813cba0561d939db3feacc048953022d65237cd41b6b7ea78d5de74efc05d60
SHA512 a34e9c52d7c9ae5889ca114643b4c86f9ea5d7eb4a92220b04ef110b909466b8e0897ca906b0815c6953c791d22cbfe38fa3428a4c4d2df57f3b75adbf107f2c

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 85313e8658d906a53cf4b3a8259884ad
SHA1 704129bb5b706352022d6431ed86b739ca80720c
SHA256 fccc0b58a0031882c85349dc223165c3f613b89d326250e675464ee8c42f058b
SHA512 c6655c83ad3be366a6892d7260ccfa0734d6d75eaff75175eed12c5ce6d67ad55e05addca2fae2e9df0ab2b8e0f93d5391bf9cd8a93e5ebd28d29525e6adb92a

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 ff8f59afced69104020b873fe34d45dc
SHA1 71b79722bebe98bd909a837753b4f8370713f7d5
SHA256 b07099cfd726951824ca4ead9026a2fc5bc76499c2b9c613f4deb19d73ebbf23
SHA512 09c03c927961474da193ae05abf192c0f80cfa6608c3a2ea0c2e8ab95d3eee86cdb6a162fa7b50a63a42e9bb001a3152c17c4f660abe6429574e3655529f2df7

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 507ef36ee349bd07178ea201bc3a5b94
SHA1 2f882206885f31f9d7e43df631755fb1530aaa27
SHA256 bd016d96ef9165acedba2d7c643b363a876e4ea5b79e9ea9093de9d80178d872
SHA512 88b2d80d767eeeec2af4d07e588bcc432c7ceb63f89b70ec7c5511a06b2f240f9152f4c0ac058d05c6a8d4991053ed6916c096d1abdad5d99c5a31703c845ac1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 10:00

Reported

2024-06-26 10:03

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Windows\SysWOW64\REG.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1148 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1148 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\REG.exe
PID 1148 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1148 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1148 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 392 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 392 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 392 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 392 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 392 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 784 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 784 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3992 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3992 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3992 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1332 wrote to memory of 1544 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1332 wrote to memory of 1544 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1332 wrote to memory of 1544 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1332 wrote to memory of 3008 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 3008 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 3008 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3992 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3992 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3992 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3008 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3008 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3008 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3008 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3008 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3008 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 392 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3172 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3172 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3172 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3552 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3552 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3552 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 4900 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 4900 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 4900 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 392 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3132 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3132 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1332 wrote to memory of 3132 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\119aaa372d0901515c8f5555ef04359c_JaffaCakes118.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 013c8d1a12c99688b5d8b1616261ef2e
SHA1 14fdc8aaaf39e1fa6641bf68d1e8f718b47566f4
SHA256 25f4e8b7d30c3a01254d472fdc153ef6080f57d6a68d9514f906db8a2af40cd5
SHA512 eb18c84010928eb0c0861811c929cd1d5e141a451d6dfc96c0482488f2bf67c637b1993ddf8432ea390de4bae3d177c500ebe93c67e22a76994645b181356ab2

C:\Windows\hosts.exe

MD5 86d54c4e801c82ed12020eba678a0c3d
SHA1 d00b0ccac771a4895ef4bf23a41a8fcfbcef32e7
SHA256 47f092937ed03f04a91a0105ef4f76dd86b1d3db3ea0f4947cb3bbb51271b254
SHA512 d288f9a68d6c3413dd732ef44b750a37d91578b90a94bb4d87759efd33d74e241e991dc3dd6fd007d2b3785a546f38b403f03f0255cc9d4a539dc1e0ba86b4f8

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

C:\Windows\W_X_C.vbs

MD5 1037a3f26ea204e975ce9b80057454c9
SHA1 b22c9b474d7e673cf96400addc51c4cc6f539d8b
SHA256 0188d783fbd81cfca2cb417420a1a9855003300a1a6cc4470bbf72684b338e2f
SHA512 f48e76ec3263320f9e7661c14a1315df32e670efe8c8a8a8f8b0a8c26943fd08f65cc2566aac1ac89598b4f0f9127180da5dbf25749accbd142654ecb9c820b3