Malware Analysis Report

2025-03-15 00:54

Sample ID 240627-b5x59swdpa
Target 143c99abf7332ddc63d095521f8f9d55_JaffaCakes118
SHA256 8a64784d709b30f949b42bdd224c25291955fa2897551099574c2312a9501504
Tags
defense_evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8a64784d709b30f949b42bdd224c25291955fa2897551099574c2312a9501504

Threat Level: Likely malicious

The file 143c99abf7332ddc63d095521f8f9d55_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion persistence

Boot or Logon Autostart Execution: Active Setup

Drops file in Drivers directory

Executes dropped EXE

Deletes itself

Loads dropped DLL

Impair Defenses: Safe Mode Boot

Enumerates connected drives

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 01:44

Reported

2024-06-27 01:46

Platform

win10v2004-20240611-en

Max time kernel

131s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/2044-0-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 01:44

Reported

2024-06-27 01:46

Platform

win7-20240220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK} C:\Windows\ini\ini.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "windir" C:\Windows\ini\ini.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\ini\\shit.vbs" C:\Windows\ini\ini.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\ini\ini.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\ini\ini.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\POWER C:\Windows\ini\ini.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PROFSVC C:\Windows\ini\ini.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WINDEFEND C:\Windows\ini\ini.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\ini\ini.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\ini\desktop.ini C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ini\desktop.ini C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\ini\ini.exe N/A
File opened (read-only) \??\H: C:\Windows\ini\ini.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lv\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\DVD Maker\de-DE\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\es-ES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\System\msadc\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\vi\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Windows Journal\fr-FR\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\MSBuild\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\cmm\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\wsock32.dll C:\Windows\ini\ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\wsock32.dll C:\Windows\ini\ini.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ini\shit.vbs C:\Windows\ini\ini.exe N/A
File created C:\Windows\Tasks\°²×°.bat C:\Windows\ini\ini.exe N/A
File opened for modification C:\Windows\Tasks\°²×°.bat C:\Windows\ini\ini.exe N/A
File created C:\Windows\ini\desktop.ini C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ini\desktop.ini C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe N/A
File created C:\Windows\ini\wsock32.dll C:\Windows\ini\ini.exe N/A
File opened for modification C:\Windows\ini C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ini C:\Windows\ini\ini.exe N/A
File created C:\Windows\ini\ini.exe C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe N/A
File created C:\Windows\ini\shit.vbs C:\Windows\ini\ini.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A
N/A N/A C:\Windows\ini\ini.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\ini\ini.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\143c99abf7332ddc63d095521f8f9d55_JaffaCakes118.exe"

C:\Windows\ini\ini.exe

C:\Windows\ini\ini.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\143C99~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 w.ssddffgg.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp
US 8.8.8.8:53 w.wonthe.cn udp

Files

memory/2068-0-0x0000000000400000-0x0000000000410000-memory.dmp

\Windows\ini\ini.exe

MD5 1439743bb3f2271363928da5fbb7bed2
SHA1 852d26e8c42cb9d8f2745d1a35bdbb7879404483
SHA256 ee3b6e2a5a29e316f4a5bcd4a0aa670674fbcec5c194aba14c133340bc1a9314
SHA512 16e7a3ab3cac2b0dfad1bd34100ff75892b7c622477b05226fe6216d89e45269bec3f98e8c4ba53f357935065b17c75067ec4d129ae8dcfe91f86212ecd56207

memory/2068-4-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2068-10-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1300-11-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2068-18-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\ini\shit.vbs

MD5 029cb6e8dd46b0bac89f075426176148
SHA1 ac38c1a3e3db05376f191d161500d74251c9e493
SHA256 638734859db449bb4597a1f3fff81fbf9c9ba9158fc232bfd0ba5f69eab67ef0
SHA512 f74516b98862b508d1714f9757ed22bd76248626ea1eb665f8a3141438c156bb218598adbd089f63c3cf80336e986a5afc2234f18839a8e807ca5c616af29d2b

C:\Windows\ini\wsock32.dll

MD5 62d674465aeb6cb32700fba27c5745d5
SHA1 ccecf6d66b50643ef70d5c25e0c6814fc55df425
SHA256 eea1e1b309f1f7beaf829fa636e2ca15bb9b02c3764c3432721cefbdde3741e5
SHA512 5e4e14c85f5f5933e924b0f8186af09356b387d835a04c31cabed881ddaa28d4607937f7474956bd16d5659565f2b00caa1e2d23524e771a48360046e2517a40

memory/1300-96-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 fddf3a7b7372d7b7c0aa2eae2cb582a6
SHA1 492f336df8c1a3467b38978955f1ad5ae03a65fd
SHA256 5de04384652accddd8e528fbf05453443031b47e23e12a5e219893497cb7a61a
SHA512 20ec9393053a3ab47a11ee0c3dcea771fdf7544525f6e89c08bc7b2ac744d8a10265512001377e6520e656f5afa4582fbb9f6616d2e32efdb7173fc255e02c0f