Malware Analysis Report

2025-03-15 00:49

Sample ID 240626-q3sv4axcpc
Target 12311cc235e275dcc60a730d871f58a0_JaffaCakes118
SHA256 08b29bebdc1352bb5c37382f3e32a712d12e217339417e99cd278606c2b06004
Tags
defense_evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

08b29bebdc1352bb5c37382f3e32a712d12e217339417e99cd278606c2b06004

Threat Level: Likely malicious

The file 12311cc235e275dcc60a730d871f58a0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion persistence

Boot or Logon Autostart Execution: Active Setup

Drops file in Drivers directory

Deletes itself

Loads dropped DLL

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 13:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 13:47

Reported

2024-06-26 13:50

Platform

win7-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "360safe" C:\Windows\Tasks\kav32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\Tasks\\pig.vbs" C:\Windows\Tasks\kav32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} C:\Windows\Tasks\kav32.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Tasks\kav32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tasks\kav32.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WINDEFEND C:\Windows\Tasks\kav32.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\POWER C:\Windows\Tasks\kav32.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PROFSVC C:\Windows\Tasks\kav32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\Tasks\kav32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Tasks\kav32.exe N/A
File opened (read-only) \??\H: C:\Windows\Tasks\kav32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\es-ES\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\ja-JP\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\DVD Maker\es-ES\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\en-US\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jfr\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\de-DE\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\wsock32.dll C:\Windows\Tasks\kav32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\×¢²á.bat C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Windows\Tasks\×¢²á.bat C:\Windows\Tasks\kav32.exe N/A
File created C:\Windows\Tasks\wsock33.dll C:\Windows\Tasks\kav32.exe N/A
File created C:\Windows\Tasks\kav32.exe C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Tasks\kav32.exe C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\pig.vbs C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Windows\Tasks\pig.vbs C:\Windows\Tasks\kav32.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Tasks\kav32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\dek.bat

C:\Windows\SysWOW64\ipconfig.exe

ipconfig

C:\Windows\Tasks\kav32.exe

C:\Windows\Tasks\kav32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp

Files

C:\dek.bat

MD5 6d97bc1c912edb0c8b36bd0933e016e2
SHA1 8cd68b46e047b567a5e83c460c515a2ff3d0bedd
SHA256 98419ee23036b7f7b95621474cb4565928f68b13c726ffdb38bc6657b94aa2f3
SHA512 ec2ef33d409e50ca79f0e47d2ca091b5709e5bb9437c7938dcbf02b6d5319362659a4e5eba3fed23828d02f999aec28a79cc84f45483a260a8140442a92faec4

\Windows\Tasks\kav32.exe

MD5 e053b0e34ed7e0304db7e14368bfb4bf
SHA1 d416d0db61246a9c007672ce25bbe44752ffb7be
SHA256 c4f556508e85fc2f1199a8cc22946537d83a939dbaa4dec46e7315561d8a847a
SHA512 1d2b194f149848012b9bef32688762cda40d454bd1f7d8af7aa0b50fc754e264b7d5bf2b800dcb6279cd08645bc18e572588eea7b9a36fbe30626f6a93e9e04d

C:\Windows\Tasks\pig.vbs

MD5 93511c0c00557b8222622f1b1b94490d
SHA1 2fffbe81f874d1941efa9b6dc7735d88179c66bc
SHA256 944dec2284cc789df1cd0d81dd65de6a39d5bd60be9317bdca93acd9359f16ff
SHA512 e0cae4aab8ed14cd1e4c2372020f50cc28f93a99719eb9973b136bb38c05cef0da0f8d994e5af5e6fa7be64bb6b7fc8afab2e980563af51db9027fb67e759aef

C:\Windows\System32\drivers\etc\hosts

MD5 6da7c967eefb1285a128b117468478f1
SHA1 337d5061de98819a3ab9613310611d5d691f769c
SHA256 2b4590d13dc6eca9c6df1a210e9f5071b8785feef59bcdd36c13f8e34e321e12
SHA512 ab94f37518b0bc410206013d2768736dd677ddaf7d7373403e6e052e28b136385e9673e78aab013000cb2797510700eb9bd4d9d8d8f84c0e62b6ed2f3a66e7d7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 13:47

Reported

2024-06-26 13:50

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\Tasks\\pig.vbs" C:\Windows\Tasks\kav32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} C:\Windows\Tasks\kav32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "360safe" C:\Windows\Tasks\kav32.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Tasks\kav32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tasks\kav32.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\PROFSVC C:\Windows\Tasks\kav32.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SERCX2.SYS C:\Windows\Tasks\kav32.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\USERMANAGER C:\Windows\Tasks\kav32.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\CBDHSVC C:\Windows\Tasks\kav32.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\IAI2C.SYS C:\Windows\Tasks\kav32.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\POWER C:\Windows\Tasks\kav32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN C:\Windows\Tasks\kav32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Tasks\kav32.exe N/A
File opened (read-only) \??\H: C:\Windows\Tasks\kav32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\management\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\System\uk-UA\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-TW\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B8436FDE-48B5-46DA-A041-D5945D20D942\root\vfs\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\wsock32.dll C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\wsock32.dll C:\Windows\Tasks\kav32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\kav32.exe C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Tasks\kav32.exe C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe N/A
File created C:\Windows\Tasks\pig.vbs C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Windows\Tasks\pig.vbs C:\Windows\Tasks\kav32.exe N/A
File created C:\Windows\Tasks\×¢²á.bat C:\Windows\Tasks\kav32.exe N/A
File opened for modification C:\Windows\Tasks\×¢²á.bat C:\Windows\Tasks\kav32.exe N/A
File created C:\Windows\Tasks\wsock33.dll C:\Windows\Tasks\kav32.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A
N/A N/A C:\Windows\Tasks\kav32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Tasks\kav32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12311cc235e275dcc60a730d871f58a0_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\dek.bat

C:\Windows\SysWOW64\ipconfig.exe

ipconfig

C:\Windows\Tasks\kav32.exe

C:\Windows\Tasks\kav32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.indexgg.cn udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 www.indexgg.cn udp
US 8.8.8.8:53 www.indexgg.cn udp

Files

\??\c:\dek.bat

MD5 6d97bc1c912edb0c8b36bd0933e016e2
SHA1 8cd68b46e047b567a5e83c460c515a2ff3d0bedd
SHA256 98419ee23036b7f7b95621474cb4565928f68b13c726ffdb38bc6657b94aa2f3
SHA512 ec2ef33d409e50ca79f0e47d2ca091b5709e5bb9437c7938dcbf02b6d5319362659a4e5eba3fed23828d02f999aec28a79cc84f45483a260a8140442a92faec4

C:\Windows\Tasks\kav32.exe

MD5 e053b0e34ed7e0304db7e14368bfb4bf
SHA1 d416d0db61246a9c007672ce25bbe44752ffb7be
SHA256 c4f556508e85fc2f1199a8cc22946537d83a939dbaa4dec46e7315561d8a847a
SHA512 1d2b194f149848012b9bef32688762cda40d454bd1f7d8af7aa0b50fc754e264b7d5bf2b800dcb6279cd08645bc18e572588eea7b9a36fbe30626f6a93e9e04d

C:\Windows\Tasks\pig.vbs

MD5 93511c0c00557b8222622f1b1b94490d
SHA1 2fffbe81f874d1941efa9b6dc7735d88179c66bc
SHA256 944dec2284cc789df1cd0d81dd65de6a39d5bd60be9317bdca93acd9359f16ff
SHA512 e0cae4aab8ed14cd1e4c2372020f50cc28f93a99719eb9973b136bb38c05cef0da0f8d994e5af5e6fa7be64bb6b7fc8afab2e980563af51db9027fb67e759aef

C:\Windows\System32\drivers\etc\hosts

MD5 6da7c967eefb1285a128b117468478f1
SHA1 337d5061de98819a3ab9613310611d5d691f769c
SHA256 2b4590d13dc6eca9c6df1a210e9f5071b8785feef59bcdd36c13f8e34e321e12
SHA512 ab94f37518b0bc410206013d2768736dd677ddaf7d7373403e6e052e28b136385e9673e78aab013000cb2797510700eb9bd4d9d8d8f84c0e62b6ed2f3a66e7d7