Analysis Overview
SHA256
80ea7700f0bf3ce805448aa904fe6eedef23fb5c94c963304a22f196ec00462d
Threat Level: Known bad
The file 24324b4f141efbcee94b278fef963e5c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
ModiLoader, DBatLoader
Modifies WinLogon for persistence
ModiLoader Second Stage
Loads dropped DLL
Deletes itself
Checks computer location settings
Executes dropped EXE
UPX packed file
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 01:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 01:41
Reported
2024-07-04 01:45
Platform
win7-20240508-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\252884a2\\X" | C:\Windows\Explorer.EXE | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\sakeg.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| N/A | N/A | C:\Users\Admin\sakeg.exe | N/A |
| N/A | N/A | C:\Users\Admin\amhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\amhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bmhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\cmhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\252884a2\X | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\dmhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /j" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /e" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /M" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /T" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /z" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /n" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /w" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /A" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /g" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /d" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /R" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /E" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /F" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /b" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /L" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /B" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /p" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /a" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /O" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /c" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /m" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /W" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /f" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /H" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /N" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /J" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /S" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /x" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /t" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /u" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /C" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /P" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /r" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /k" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /I" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /U" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /q" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /Z" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /Y" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /l" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /X" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /a" | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /i" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /o" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /s" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /D" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /K" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /h" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /Q" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /v" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /y" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /G" | C:\Users\Admin\sakeg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sakeg = "C:\\Users\\Admin\\sakeg.exe /V" | C:\Users\Admin\sakeg.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2712 set thread context of 2560 | N/A | C:\Users\Admin\amhost.exe | C:\Users\Admin\amhost.exe |
| PID 2680 set thread context of 1592 | N/A | C:\Users\Admin\bmhost.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1996 set thread context of 2008 | N/A | C:\Users\Admin\cmhost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bmhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bmhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| N/A | N/A | C:\Users\Admin\sakeg.exe | N/A |
| N/A | N/A | C:\Users\Admin\dmhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe"
C:\Users\Admin\srRTMxaDv9.exe
C:\Users\Admin\srRTMxaDv9.exe
C:\Users\Admin\sakeg.exe
"C:\Users\Admin\sakeg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del srRTMxaDv9.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\amhost.exe
C:\Users\Admin\amhost.exe
C:\Users\Admin\amhost.exe
amhost.exe
C:\Users\Admin\bmhost.exe
C:\Users\Admin\bmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\cmhost.exe
C:\Users\Admin\cmhost.exe
C:\Users\Admin\AppData\Local\252884a2\X
176.53.17.24:80
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\dmhost.exe
C:\Users\Admin\dmhost.exe
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| UA | 82.193.112.116:21860 | tcp | |
| AU | 101.116.124.29:21860 | tcp | |
| PL | 89.73.219.45:21860 | tcp | |
| RO | 79.118.77.103:21860 | tcp | |
| LT | 88.222.56.69:21860 | tcp | |
| US | 69.250.129.195:21860 | tcp | |
| CA | 70.81.44.41:21860 | tcp | |
| TR | 176.30.86.202:21860 | tcp | |
| US | 174.141.188.24:21860 | tcp | |
| KZ | 178.91.248.14:21860 | tcp | |
| JO | 94.249.55.111:21860 | tcp | |
| US | 24.46.123.138:21860 | tcp | |
| IN | 115.242.209.10:21860 | tcp | |
| CO | 190.26.101.67:21860 | tcp | |
| ID | 203.169.53.84:21860 | tcp | |
| KZ | 212.76.23.88:21860 | tcp | |
| AO | 41.70.167.39:21860 | tcp | |
| KZ | 46.36.136.165:21860 | tcp | |
| US | 128.122.94.12:21860 | tcp | |
| DE | 92.231.15.88:21860 | tcp | |
| US | 75.132.141.34:21860 | tcp | |
| AR | 186.111.236.70:21860 | tcp | |
| RU | 195.96.95.179:21860 | tcp | |
| KG | 178.216.209.13:21860 | tcp | |
| TR | 178.245.145.190:21860 | tcp | |
| RO | 188.25.162.139:21860 | tcp | |
| CA | 131.104.255.1:21860 | tcp | |
| BR | 201.40.210.50:21860 | tcp | |
| SE | 81.170.225.74:21860 | tcp | |
| US | 70.117.153.95:21860 | tcp | |
| AU | 101.116.112.34:21860 | tcp | |
| RU | 136.169.146.2:21860 | tcp | |
| RU | 46.191.210.42:21860 | tcp | |
| IN | 14.96.221.136:21860 | tcp | |
| KZ | 178.90.90.35:21860 | tcp | |
| FR | 46.105.8.114:21860 | tcp | |
| US | 24.107.182.20:21860 | tcp | |
| US | 109.246.238.57:21860 | tcp | |
| US | 67.240.113.178:21860 | tcp | |
| IN | 115.240.16.161:21860 | tcp | |
| FR | 82.234.113.202:21860 | tcp | |
| CO | 190.24.175.156:21860 | tcp | |
| RU | 46.147.192.139:21860 | tcp | |
| SE | 93.182.158.47:21860 | tcp | |
| US | 67.175.138.9:21860 | tcp | |
| CA | 70.65.141.173:21860 | tcp | |
| US | 69.145.125.224:21860 | tcp | |
| RU | 95.220.179.145:21860 | tcp | |
| IN | 106.76.214.92:21860 | tcp | |
| RU | 46.48.158.46:21860 | tcp | |
| RU | 109.111.162.61:21860 | tcp | |
| HK | 119.247.240.204:21860 | tcp | |
| BG | 78.90.135.67:21860 | tcp | |
| TT | 190.213.8.51:21860 | tcp | |
| CA | 216.246.224.198:21860 | tcp | |
| MK | 79.126.214.106:21860 | tcp | |
| RU | 94.41.27.147:21860 | tcp | |
| IN | 182.156.97.233:21860 | tcp | |
| PL | 84.10.70.246:21860 | tcp | |
| HN | 190.99.16.188:21860 | tcp | |
| US | 129.21.84.226:21860 | tcp | |
| BR | 187.11.71.126:21860 | tcp | |
| PT | 188.37.110.241:21860 | tcp | |
| JM | 216.10.209.57:21860 | tcp | |
| US | 67.10.235.214:21860 | tcp | |
| US | 24.11.139.131:21860 | tcp | |
| RU | 31.207.206.186:21860 | tcp | |
| MD | 188.131.111.69:21860 | tcp | |
| OM | 46.40.228.234:21860 | tcp | |
| MY | 182.63.74.42:21860 | tcp | |
| FJ | 210.7.25.105:21860 | tcp | |
| IN | 115.184.99.171:21860 | tcp | |
| KZ | 95.58.235.26:21860 | tcp | |
| MX | 201.167.33.127:21860 | tcp | |
| US | 207.191.205.143:21860 | tcp | |
| IN | 14.99.99.197:21860 | tcp | |
| RU | 46.48.200.108:21860 | tcp | |
| FR | 78.250.140.118:21860 | tcp | |
| IN | 203.90.81.237:21860 | tcp | |
| FR | 82.230.128.86:21860 | tcp | |
| IN | 117.225.6.110:21860 | tcp | |
| PH | 111.68.40.160:21860 | tcp | |
| KZ | 178.91.60.15:21860 | tcp | |
| TW | 125.227.184.100:21860 | tcp | |
| KZ | 212.76.9.85:21860 | tcp | |
| IN | 1.23.234.180:21860 | tcp | |
| UZ | 93.188.84.251:21860 | tcp | |
| DO | 190.166.208.66:21860 | tcp | |
| US | 69.253.17.94:21860 | tcp | |
| IN | 49.204.13.214:21860 | tcp | |
| IR | 31.57.100.109:21860 | tcp | |
| RO | 79.112.95.109:21860 | tcp | |
| PK | 111.88.47.52:21860 | tcp | |
| US | 98.160.212.176:21860 | tcp | |
| KR | 58.233.70.8:21860 | tcp | |
| US | 72.19.127.116:21860 | tcp | |
| KG | 158.181.149.196:21860 | tcp | |
| PT | 46.50.88.40:21860 | tcp | |
| US | 24.6.120.104:21860 | tcp | |
| HN | 190.53.78.114:21860 | tcp | |
| IN | 59.93.240.165:21860 | tcp | |
| US | 173.172.156.244:21860 | tcp | |
| PL | 85.222.93.25:21860 | tcp | |
| MX | 189.214.161.23:21860 | tcp | |
| VE | 186.92.84.39:21860 | tcp | |
| US | 98.215.149.242:21860 | tcp | |
| ES | 79.116.224.179:21860 | tcp | |
| ES | 77.27.212.30:21860 | tcp | |
| OM | 188.66.179.19:21860 | tcp | |
| CA | 69.70.45.186:21860 | tcp | |
| US | 68.226.243.185:21860 | tcp | |
| IN | 106.79.130.234:21860 | tcp | |
| US | 70.94.44.23:21860 | tcp | |
| KZ | 95.58.110.93:21860 | tcp | |
| SG | 222.165.56.168:21860 | tcp | |
| IN | 1.23.200.185:21860 | tcp | |
| US | 71.62.88.179:21860 | tcp | |
| US | 96.41.81.39:21860 | tcp | |
| AR | 190.193.7.204:21860 | tcp | |
| AR | 190.246.45.29:21860 | tcp | |
| IN | 117.230.77.230:21860 | tcp | |
| IN | 115.184.103.41:21860 | tcp | |
| CA | 99.231.30.158:21860 | tcp | |
| MK | 77.29.195.154:21860 | tcp | |
| SE | 79.138.235.241:21860 | tcp | |
| LT | 158.129.21.189:21860 | tcp | |
| US | 71.10.127.231:21860 | tcp | |
| IL | 84.94.189.96:21860 | tcp | |
| IN | 14.96.177.186:21860 | tcp | |
| MX | 189.220.204.24:21860 | tcp | |
| IT | 95.75.208.208:21860 | tcp | |
| US | 129.22.53.243:21860 | tcp | |
| US | 76.125.125.76:21860 | tcp | |
| IN | 182.237.128.155:21860 | tcp | |
| BT | 202.144.135.136:21860 | tcp | |
| KZ | 95.56.77.21:21860 | tcp | |
| KZ | 95.56.34.162:21860 | tcp | |
| CL | 190.101.26.74:21860 | tcp | |
| IN | 115.241.41.156:21860 | tcp | |
| US | 67.184.93.17:21860 | tcp | |
| MG | 41.188.33.4:21860 | tcp | |
| DE | 92.231.15.45:21860 | tcp | |
| MX | 189.194.147.244:21860 | tcp | |
| US | 71.202.35.179:21860 | tcp | |
| IR | 31.184.188.154:21860 | tcp | |
| IR | 2.176.22.69:21860 | tcp | |
| AU | 138.130.89.233:21860 | tcp | |
| KE | 197.178.185.64:21860 | tcp | |
| ES | 83.97.225.103:21860 | tcp | |
| CL | 190.164.63.28:21860 | tcp | |
| KZ | 92.47.209.177:21860 | tcp | |
| RU | 178.234.117.240:21860 | tcp | |
| MD | 89.28.102.142:21860 | tcp | |
| AR | 190.113.144.149:21860 | tcp | |
| AU | 124.184.180.45:21860 | tcp | |
| DE | 89.12.197.164:21860 | tcp | |
| US | 75.74.147.243:21860 | tcp | |
| CL | 190.162.186.100:21860 | tcp | |
| US | 66.191.237.173:21860 | tcp | |
| KZ | 95.58.12.224:21860 | tcp | |
| KZ | 178.89.58.92:21860 | tcp | |
| US | 76.16.129.67:21860 | tcp | |
| MX | 201.173.60.230:21860 | tcp | |
| RU | 2.93.157.92:21860 | tcp | |
| DE | 178.238.234.130:21860 | tcp | |
| KZ | 212.76.20.40:21860 | tcp | |
| KZ | 95.57.239.198:21860 | tcp | |
| US | 24.7.86.89:21860 | tcp | |
| CL | 200.83.17.225:21860 | tcp | |
| KZ | 178.89.136.152:21860 | tcp | |
| IN | 110.227.229.212:21860 | tcp | |
| AR | 190.105.2.83:21860 | tcp | |
| US | 71.60.24.124:21860 | tcp | |
| TR | 46.30.176.5:21860 | tcp | |
| FJ | 183.81.130.182:21860 | tcp | |
| MN | 49.0.187.143:21860 | tcp | |
| SA | 188.54.49.121:21860 | tcp | |
| KG | 158.181.182.85:21860 | tcp | |
| EC | 190.130.166.131:21860 | tcp | |
| BR | 189.69.66.187:21860 | tcp | |
| KZ | 85.29.157.69:21860 | tcp | |
| TW | 175.181.123.239:21860 | tcp | |
| HU | 89.132.133.91:21860 | tcp | |
| KZ | 178.91.238.198:21860 | tcp | |
| KZ | 212.76.2.252:21860 | tcp | |
| KZ | 95.56.52.235:21860 | tcp | |
| EC | 186.42.33.196:21860 | tcp | |
| KH | 87.247.162.223:21860 | tcp | |
| BG | 84.54.175.182:21860 | tcp | |
| US | 67.163.155.160:21860 | tcp | |
| IN | 27.4.242.99:21860 | tcp | |
| KR | 121.135.107.52:21860 | tcp | |
| NO | 188.113.127.144:25700 | tcp | |
| US | 75.110.231.24:25700 | tcp | |
| US | 71.58.52.32:25700 | tcp | |
| HU | 188.143.69.158:25700 | tcp | |
| US | 75.132.11.131:25700 | tcp | |
| PK | 119.154.89.161:25700 | tcp | |
| US | 68.206.39.222:25700 | tcp | |
| LT | 88.118.9.19:25700 | tcp | |
| US | 28.240.130.61:25700 | tcp | |
| US | 198.82.98.127:25700 | tcp | |
| US | 67.197.163.174:25700 | tcp | |
| US | 24.130.41.168:25700 | tcp | |
| CA | 216.104.111.135:25700 | tcp | |
| US | 99.14.85.82:25700 | tcp | |
| US | 71.87.243.75:25700 | tcp | |
| CD | 41.243.65.127:25700 | tcp | |
| US | 97.65.48.207:25700 | tcp | |
| US | 68.110.199.9:25700 | tcp | |
| KZ | 84.240.207.176:25700 | tcp | |
| US | 68.92.112.237:25700 | tcp | |
| US | 71.74.1.168:25700 | tcp | |
| ES | 79.117.78.238:25700 | tcp | |
| US | 98.180.21.161:25700 | tcp | |
| US | 69.142.187.67:25700 | tcp | |
| DE | 24.40.144.134:25700 | tcp | |
| PT | 62.169.120.205:25700 | tcp | |
| US | 99.64.192.239:25700 | tcp | |
| US | 70.113.206.81:25700 | tcp | |
| US | 76.27.59.89:25700 | tcp | |
| US | 69.180.38.221:25700 | tcp | |
| US | 67.184.24.170:25700 | tcp | |
| US | 71.95.157.6:25700 | tcp | |
| US | 128.36.54.183:25700 | tcp | |
| US | 76.107.104.13:25700 | tcp | |
| US | 71.86.99.90:25700 | tcp | |
| US | 50.88.221.71:25700 | tcp | |
| US | 76.181.141.94:25700 | tcp | |
| US | 24.126.187.34:25700 | tcp | |
| US | 18.245.7.14:25700 | tcp | |
| US | 75.73.60.153:25700 | tcp | |
| SG | 119.234.154.170:25700 | tcp | |
| FR | 82.234.113.202:25700 | tcp | |
| US | 24.12.204.68:25700 | tcp | |
| US | 98.231.208.73:25700 | tcp | |
| US | 71.236.155.16:25700 | tcp | |
| IT | 151.31.96.116:25700 | tcp | |
| DE | 178.200.126.51:25700 | tcp | |
| SE | 213.112.235.194:25700 | tcp | |
| PT | 79.168.109.47:25700 | tcp | |
| CA | 24.226.241.71:25700 | tcp | |
| US | 24.90.27.57:25700 | tcp | |
| US | 68.1.115.188:25700 | tcp | |
| US | 72.198.82.70:25700 | tcp | |
| US | 76.179.103.0:25700 | tcp | |
| US | 76.183.0.208:25700 | tcp | |
| US | 96.38.57.251:25700 | tcp | |
| US | 70.132.200.253:25700 | tcp | |
| US | 71.23.43.138:25700 | tcp | |
| DE | 217.13.173.105:25700 | tcp | |
| DE | 95.88.168.246:25700 | tcp | |
| GB | 92.236.32.199:25700 | tcp | |
| US | 173.175.167.134:25700 | tcp | |
| US | 69.132.184.166:25700 | tcp | |
| US | 98.217.15.123:25700 | tcp | |
| US | 24.131.109.230:25700 | tcp | |
| RO | 89.42.36.38:25700 | tcp | |
| US | 97.89.228.148:25700 | tcp | |
| KZ | 87.247.42.163:25700 | tcp | |
| IN | 223.29.199.151:25700 | tcp | |
| US | 68.11.134.106:25700 | tcp | |
| US | 69.113.16.97:25700 | tcp | |
| US | 66.56.32.93:25700 | tcp | |
| CA | 173.230.173.59:25700 | tcp | |
| DZ | 41.107.70.89:25700 | tcp | |
| US | 68.199.124.4:25700 | tcp | |
| US | 68.103.79.198:25700 | tcp | |
| US | 174.64.30.198:25700 | tcp | |
| US | 68.3.248.223:25700 | tcp | |
| CA | 74.12.234.101:25700 | tcp | |
| DE | 86.56.15.251:25700 | tcp | |
| US | 97.102.37.94:25700 | tcp | |
| US | 24.31.184.124:25700 | tcp | |
| US | 66.190.220.48:25700 | tcp | |
| US | 24.253.208.76:25700 | tcp | |
| US | 75.66.39.93:25700 | tcp | |
| IT | 151.81.146.112:25700 | tcp | |
| ES | 85.219.20.126:25700 | tcp | |
| US | 68.39.127.163:25700 | tcp | |
| US | 173.3.143.226:25700 | tcp | |
| US | 24.126.8.252:25700 | tcp | |
| US | 71.195.62.171:25700 | tcp | |
| US | 98.196.30.132:25700 | tcp | |
| US | 76.116.104.184:25700 | tcp | |
| US | 66.25.247.230:25700 | tcp | |
| US | 24.14.49.4:25700 | tcp | |
| PL | 91.207.60.22:25700 | tcp | |
| US | 67.60.244.54:25700 | tcp | |
| US | 24.99.224.18:25700 | tcp | |
| US | 71.194.116.155:25700 | tcp | |
| NL | 98.64.60.8:25700 | tcp | |
| DE | 78.43.118.192:25700 | tcp | |
| US | 67.162.64.31:25700 | tcp | |
| US | 75.108.60.107:25700 | tcp | |
| US | 76.115.46.206:25700 | tcp | |
| DK | 212.10.97.79:25700 | tcp | |
| BE | 84.195.107.140:25700 | tcp | |
| US | 67.172.173.99:25700 | tcp | |
| US | 76.169.142.205:25700 | tcp | |
| US | 69.204.107.254:25700 | tcp | |
| IT | 82.55.209.61:25700 | tcp | |
| US | 98.26.36.207:25700 | tcp | |
| US | 71.45.142.31:25700 | tcp | |
| FR | 81.51.40.68:25700 | tcp | |
| US | 24.18.125.203:25700 | tcp | |
| US | 68.37.37.133:25700 | tcp | |
| US | 69.76.179.226:25700 | tcp | |
| US | 69.205.231.132:25700 | tcp | |
| US | 67.85.181.95:25700 | tcp | |
| US | 76.105.72.3:25700 | tcp | |
| US | 24.228.5.130:25700 | tcp | |
| PL | 87.116.205.54:25700 | tcp | |
| US | 71.203.154.25:25700 | tcp | |
| US | 76.119.15.140:25700 | tcp | |
| US | 174.70.136.28:25700 | tcp | |
| US | 24.178.86.126:25700 | tcp | |
| US | 108.106.109.107:25700 | tcp | |
| US | 24.146.171.229:25700 | tcp | |
| US | 50.136.114.82:25700 | tcp | |
| CA | 74.59.63.112:25700 | tcp | |
| US | 71.68.97.7:25700 | tcp | |
| US | 24.91.136.219:25700 | tcp | |
| US | 24.245.2.5:25700 | tcp | |
| US | 71.95.34.209:25700 | tcp | |
| US | 216.26.97.151:25700 | tcp | |
| US | 68.62.166.162:25700 | tcp | |
| US | 69.113.201.236:25700 | tcp | |
| US | 174.57.113.217:25700 | tcp | |
| US | 65.185.120.89:25700 | tcp | |
| US | 69.143.8.209:25700 | tcp | |
| US | 71.77.72.78:25700 | tcp | |
| US | 76.31.37.100:25700 | tcp | |
| US | 74.196.169.67:25700 | tcp | |
| US | 98.214.78.126:25700 | tcp | |
| US | 96.18.183.250:25700 | tcp | |
| CA | 69.156.160.226:25700 | tcp | |
| US | 75.66.128.197:25700 | tcp | |
| US | 98.194.201.41:25700 | tcp | |
| US | 74.64.85.127:25700 | tcp | |
| US | 98.193.89.231:25700 | tcp | |
| DE | 91.64.176.203:25700 | tcp | |
| US | 24.250.24.134:25700 | tcp | |
| US | 107.8.75.96:25700 | tcp | |
| RU | 91.79.143.168:25700 | tcp | |
| US | 68.54.184.7:25700 | tcp | |
| US | 72.135.14.49:25700 | tcp | |
| US | 71.76.58.50:25700 | tcp | |
| US | 72.249.44.79:25700 | tcp | |
| US | 98.204.110.177:25700 | tcp | |
| US | 66.168.25.248:25700 | tcp | |
| US | 75.73.45.126:25700 | tcp | |
| US | 107.41.156.180:25700 | tcp | |
| US | 184.59.86.72:25700 | tcp | |
| US | 71.234.195.93:25700 | tcp | |
| US | 64.53.184.103:25700 | tcp | |
| IT | 151.81.79.182:25700 | tcp | |
| US | 24.27.176.91:25700 | tcp | |
| US | 69.122.91.56:25700 | tcp | |
| US | 76.190.213.150:25700 | tcp | |
| US | 76.118.218.158:25700 | tcp | |
| US | 24.158.142.102:25700 | tcp | |
| US | 65.185.76.30:25700 | tcp | |
| US | 24.30.7.62:25700 | tcp | |
| ES | 79.108.2.152:25700 | tcp | |
| RU | 94.180.203.48:25700 | tcp | |
| US | 66.169.32.66:25700 | tcp | |
| US | 75.66.198.134:25700 | tcp | |
| US | 24.217.238.43:25700 | tcp | |
| US | 50.12.174.124:25700 | tcp | |
| US | 97.106.237.122:25700 | tcp | |
| US | 67.169.67.143:25700 | tcp | |
| US | 68.58.196.120:25700 | tcp | |
| KZ | 95.56.27.119:25700 | tcp | |
| US | 107.2.144.105:25700 | tcp | |
| US | 68.3.244.77:25700 | tcp | |
| US | 76.186.89.77:25700 | tcp | |
| US | 76.116.86.5:25700 | tcp | |
| US | 76.170.106.209:25700 | tcp | |
| US | 24.217.82.195:25700 | tcp | |
| US | 184.201.93.26:25700 | tcp | |
| US | 24.46.123.214:25700 | tcp | |
| CZ | 213.211.60.35:25700 | tcp | |
| US | 75.177.162.9:25700 | tcp |
Files
\Users\Admin\srRTMxaDv9.exe
| MD5 | 57a5743f47b3a874773041195600909c |
| SHA1 | 74f5c16a6ca03baea7c684e40d351f1ec484a70d |
| SHA256 | eecfb7541cf571d34882ebeb19c3c396ed53243e23060d45e1f1b033e061da90 |
| SHA512 | 66c4621663db921b7a18b843197ea6611e9473abca6b2a653d1f228146129434a7f643f598e0fdfbe300f2ea91168135de59a69f02f52245c71f12e4364e2954 |
\Users\Admin\sakeg.exe
| MD5 | d853b95edccee6c0180bc056c2ef0be0 |
| SHA1 | 68fdb4fede4e714151e3ac715a84b80e3176ccd4 |
| SHA256 | 4d14dcba3941e5ec355355b8b58e09e7731b0bb0f05b29a7c3b48748c55be0fc |
| SHA512 | 9c8afa7dc47092ffef5cd3e043197877992ed68a62969db521d5ba2f7b72b441ccd4ca2504541260e646cd58b57f54c15fb195139dba8ad42782fd140a6eca3b |
\Users\Admin\amhost.exe
| MD5 | 8ccbe4f27f9710f3e7f75e1d1de57e49 |
| SHA1 | 272e95e476477cd4a1715ee0bcf32318e0351718 |
| SHA256 | 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d |
| SHA512 | 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0 |
memory/2560-36-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2560-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2712-45-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2560-44-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2560-40-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2560-38-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2560-49-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2560-50-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2560-52-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2560-51-0x0000000000400000-0x000000000040E000-memory.dmp
\Users\Admin\bmhost.exe
| MD5 | 2da0070a7c50f3a078b73b4fb7ee7c02 |
| SHA1 | 999b4860a80b908622fadfc8fae27db66b200932 |
| SHA256 | f8a0f1b5b3f320f01173f151305dc780eac51bf78e7405fd2c0b9b3ba58945bf |
| SHA512 | 2d488508e785d92c5cf9f0abee8153d984d8dd8f1d59880643764f499e151fccc9572a9ad1fe0a82412b8ed230d25bd849a0beeded12325dc21839ed53512630 |
memory/2680-64-0x0000000000650000-0x0000000000691000-memory.dmp
memory/2680-69-0x0000000000650000-0x0000000000691000-memory.dmp
memory/2680-68-0x0000000000650000-0x0000000000691000-memory.dmp
memory/2680-60-0x0000000000650000-0x0000000000691000-memory.dmp
memory/2680-70-0x0000000000650000-0x0000000000691000-memory.dmp
memory/2680-72-0x0000000000650000-0x0000000000691000-memory.dmp
memory/1212-81-0x00000000024B0000-0x00000000024B6000-memory.dmp
memory/1212-77-0x00000000024B0000-0x00000000024B6000-memory.dmp
memory/1212-73-0x00000000024B0000-0x00000000024B6000-memory.dmp
C:\Windows\system32\consrv.dll
| MD5 | 4d7cde615a0f534bd5e359951829554b |
| SHA1 | c885d00d9000f2a5dbc78f6193a052b36f4fe968 |
| SHA256 | 414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a |
| SHA512 | 33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4 |
memory/336-87-0x0000000000E50000-0x0000000000E62000-memory.dmp
memory/2680-91-0x0000000000400000-0x0000000000446000-memory.dmp
\Users\Admin\cmhost.exe
| MD5 | 03102e4338eb16e0c4dfe106830557e3 |
| SHA1 | 4fdb5baf0900e44e95acdeee1c947be3b0518b39 |
| SHA256 | 7dd28bddc46daddc8f7e14906f50ef991d3d7f1ffb785388fb5c42be9e162139 |
| SHA512 | c7d4b4b3766c0b4cdc3d16f56effe1b36cacd4a48f728cf1a33360eb6c48362587186dc0be45f098cd3117bc10c7113d51262939bfe018c6f963b36d59cd97c9 |
\Windows\assembly\GAC_32\Desktop.ini
| MD5 | 878f9b6da85cb98fcbdf6abd1730a32f |
| SHA1 | 343007e658ea541f4680b4edf4513e69e1cc18a6 |
| SHA256 | 75b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d |
| SHA512 | 5425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293 |
\Users\Admin\AppData\Local\252884a2\X
| MD5 | be40a2578e862f1cecc9b9194f524201 |
| SHA1 | 0c379f375f9bcfab2e8d86161cec07fe4a7dbc12 |
| SHA256 | 2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6 |
| SHA512 | 25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8 |
\Windows\assembly\GAC_64\Desktop.ini
| MD5 | 9d7ec1e355ac35cbe6991721ef5ae3b8 |
| SHA1 | c35a00bd35c6e4a7516b93947be08ead966347e8 |
| SHA256 | 68a3cec42215323100398a8eb2cbb37da7d58fe0fa9c6312e954e0f50a95ca98 |
| SHA512 | b7c4be28d8e179974672205a50e72fa1ec9e2e8170b3b8ee763e1751a3397c35afec7a72c88f0a79a8566749b2af1ff054660a96c3a6d6508c545d316a035dc0 |
memory/1212-121-0x00000000024E0000-0x00000000024EB000-memory.dmp
memory/1212-120-0x00000000024D0000-0x00000000024DB000-memory.dmp
memory/1212-115-0x00000000024D0000-0x00000000024DB000-memory.dmp
memory/1212-111-0x00000000024D0000-0x00000000024DB000-memory.dmp
C:\Users\Admin\AppData\Local\252884a2\@
| MD5 | f5e66a93bc297ba83db0e7b5564ced3f |
| SHA1 | 863c519546cfba7531b8ecbf10ae5bede6d2193d |
| SHA256 | 94257ae4c040d8487cb44bc23030193944c72c12678dcd8b80684a3721b21231 |
| SHA512 | b7ee82bdc3057df90eed61a9d0d6d52420fb8baf6cc8f12f30144ecdd1f298f13d89e14bfa474ea939bd734440f185d7bba72d1140080a3ef975253191adaea3 |
memory/1996-128-0x0000000000400000-0x0000000000465C48-memory.dmp
memory/1996-136-0x0000000000400000-0x0000000000465C48-memory.dmp
\Users\Admin\dmhost.exe
| MD5 | 3b906143422ff578e4a9bc688441e89c |
| SHA1 | 4164ef104958d715275a85f62603b5118f8a6ebc |
| SHA256 | cb6cc4f0050dc045087df49249e1f2d57a86cc332106a904b7d59dff0819aacf |
| SHA512 | 06b1d0ae7c60565c982feaa6877f6538040b47d27f2b8ea0178ddab9505b5f91f69ac485adfa043747e7d8c8b9b75748dd11699d38eca76124f77ceda0e9daeb |
\??\globalroot\systemroot\assembly\temp\@
| MD5 | 811296d58d3e66816eaabab62ad21603 |
| SHA1 | b995c5d560808d98aa88732893f0d3cb5162651d |
| SHA256 | bf28975439a51b7587c903bbfeaf5f48536ffe3a5336243af1647f94ba1e50b4 |
| SHA512 | 0d4fdc054abc095fb35bcecf6e300baf665313c9dc7c360808e4ca5450e6d83c21e9e6760a91b5fefb0b2f363204ed6c89ac6bfbf91dc01c45478912a1677ce6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 01:41
Reported
2024-07-04 01:45
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\jauig.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\srRTMxaDv9.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| N/A | N/A | C:\Users\Admin\amhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\jauig.exe | N/A |
| N/A | N/A | C:\Users\Admin\amhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bmhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cmhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6f42fddf\X | N/A |
| N/A | N/A | C:\Users\Admin\dmhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /i" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /V" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /n" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /d" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /q" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /Z" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /g" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /N" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /p" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /o" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /x" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /X" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /h" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /w" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /P" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /T" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /L" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /H" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /G" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /S" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /R" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /I" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /u" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /U" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /y" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /z" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /s" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /E" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /v" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /A" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /k" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /D" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /Y" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /K" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /B" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /e" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /C" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /b" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /l" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /f" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /t" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /q" | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /M" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /r" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /Q" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /a" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /c" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /J" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /O" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /F" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /j" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /m" | C:\Users\Admin\jauig.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jauig = "C:\\Users\\Admin\\jauig.exe /W" | C:\Users\Admin\jauig.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5036 set thread context of 3760 | N/A | C:\Users\Admin\amhost.exe | C:\Users\Admin\amhost.exe |
| PID 776 set thread context of 2636 | N/A | C:\Users\Admin\bmhost.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5028 set thread context of 2076 | N/A | C:\Users\Admin\cmhost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bmhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\cmhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| N/A | N/A | C:\Users\Admin\jauig.exe | N/A |
| N/A | N/A | C:\Users\Admin\dmhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe"
C:\Users\Admin\srRTMxaDv9.exe
C:\Users\Admin\srRTMxaDv9.exe
C:\Users\Admin\amhost.exe
C:\Users\Admin\amhost.exe
C:\Users\Admin\jauig.exe
"C:\Users\Admin\jauig.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del srRTMxaDv9.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\amhost.exe
amhost.exe
C:\Users\Admin\bmhost.exe
C:\Users\Admin\bmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\cmhost.exe
C:\Users\Admin\cmhost.exe
C:\Users\Admin\AppData\Local\6f42fddf\X
176.53.17.24:80
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\dmhost.exe
C:\Users\Admin\dmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 24324b4f141efbcee94b278fef963e5c_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\srRTMxaDv9.exe
| MD5 | 57a5743f47b3a874773041195600909c |
| SHA1 | 74f5c16a6ca03baea7c684e40d351f1ec484a70d |
| SHA256 | eecfb7541cf571d34882ebeb19c3c396ed53243e23060d45e1f1b033e061da90 |
| SHA512 | 66c4621663db921b7a18b843197ea6611e9473abca6b2a653d1f228146129434a7f643f598e0fdfbe300f2ea91168135de59a69f02f52245c71f12e4364e2954 |
C:\Users\Admin\jauig.exe
| MD5 | e4d11fbe09b35495bb17a82974385bba |
| SHA1 | b086231b6e103c72d2033aee8e99bfe58665909c |
| SHA256 | f868771508528711edbd953f1601f838c7ca136d3705b5b535830e468bf3d210 |
| SHA512 | cb790025e1094842bdc60bd46a42561aede488ccbb1ef119d1f214eca9ca16e5946714e4bcee6db561218fbb0678f00dab34d37735c384e8e0aa46e876cd381c |
C:\Users\Admin\amhost.exe
| MD5 | 8ccbe4f27f9710f3e7f75e1d1de57e49 |
| SHA1 | 272e95e476477cd4a1715ee0bcf32318e0351718 |
| SHA256 | 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d |
| SHA512 | 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0 |
memory/5036-49-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3760-46-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3760-45-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3760-51-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3760-53-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3760-52-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\bmhost.exe
| MD5 | 2da0070a7c50f3a078b73b4fb7ee7c02 |
| SHA1 | 999b4860a80b908622fadfc8fae27db66b200932 |
| SHA256 | f8a0f1b5b3f320f01173f151305dc780eac51bf78e7405fd2c0b9b3ba58945bf |
| SHA512 | 2d488508e785d92c5cf9f0abee8153d984d8dd8f1d59880643764f499e151fccc9572a9ad1fe0a82412b8ed230d25bd849a0beeded12325dc21839ed53512630 |
memory/776-58-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\cmhost.exe
| MD5 | 03102e4338eb16e0c4dfe106830557e3 |
| SHA1 | 4fdb5baf0900e44e95acdeee1c947be3b0518b39 |
| SHA256 | 7dd28bddc46daddc8f7e14906f50ef991d3d7f1ffb785388fb5c42be9e162139 |
| SHA512 | c7d4b4b3766c0b4cdc3d16f56effe1b36cacd4a48f728cf1a33360eb6c48362587186dc0be45f098cd3117bc10c7113d51262939bfe018c6f963b36d59cd97c9 |
C:\Users\Admin\AppData\Local\6f42fddf\X
| MD5 | be40a2578e862f1cecc9b9194f524201 |
| SHA1 | 0c379f375f9bcfab2e8d86161cec07fe4a7dbc12 |
| SHA256 | 2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6 |
| SHA512 | 25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8 |
memory/5028-73-0x0000000000400000-0x0000000000465C48-memory.dmp
memory/5028-81-0x0000000000400000-0x0000000000465C48-memory.dmp
C:\Users\Admin\dmhost.exe
| MD5 | 3b906143422ff578e4a9bc688441e89c |
| SHA1 | 4164ef104958d715275a85f62603b5118f8a6ebc |
| SHA256 | cb6cc4f0050dc045087df49249e1f2d57a86cc332106a904b7d59dff0819aacf |
| SHA512 | 06b1d0ae7c60565c982feaa6877f6538040b47d27f2b8ea0178ddab9505b5f91f69ac485adfa043747e7d8c8b9b75748dd11699d38eca76124f77ceda0e9daeb |