0a2aef9dec40e1004eec08ff11a1352002f2b94347bf148646231e440cb24418

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 14:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
Size

1.7MB
MD5

420510492da636173cac57ceca9ba4bd
SHA1

c0e83c3f0f9af57e7dfaf3ff1dfe436a6a9367b1
SHA256

0a2aef9dec40e1004eec08ff11a1352002f2b94347bf148646231e440cb24418
SHA512

23990416890db0f26bdca3a5eb80c7d5f040acc880d3c738314e0f8651012b1b4a076dde89efde6d5b3d31bda7eb7e55d70ff7de85b257a9bd4850e50d1d5be5
SSDEEP

24576:mQo4NHcCafRyWIu7XoqygBAy7v3d+fNAZz2yJrg8X589PGcOH0H3cY+v:v+Cc/sqygBAy7FyScYrgg589NA0Q

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\regsrvc = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\regsrvc = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\regsrvc = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ko2fuckoff.exe

Executes dropped EXE 2 IoCs

pid	Process
552	isass.exe
1060	ko2fuckoff.exe

Loads dropped DLL 1 IoCs

pid	Process
4308	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\VERSION\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project1.Class1\ = "Project1.Class1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0\ = "Project1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Data\\Lib\\Func.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ = "_Class1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Data\\Lib\\Func.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\ProgID\ = "Project1.Class1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project1.Class1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project1.Class1\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\ = "Project1.Class1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project1.Class1\Clsid\ = "{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ = "_Class1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\TypeLib\ = "{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ = "Class1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\TypeLib\ = "{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Data\\Lib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EEAF2BF9-B8AF-4DD9-8BDB-E23A6433219E}\TypeLib\ = "{3EF578D6-0DFE-42BB-8606-BD4EA7EB2632}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C937DE15-54CD-4F2D-9722-0BC3BD0835A0}\Implemented Categories	regsvr32.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2672	reg.exe
4768	reg.exe
4964	reg.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1060	ko2fuckoff.exe
1060	ko2fuckoff.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 552	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	85
PID 708 wrote to memory of 552	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	85
PID 708 wrote to memory of 552	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	85
PID 708 wrote to memory of 452	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	86
PID 708 wrote to memory of 452	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	86
PID 708 wrote to memory of 452	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	86
PID 708 wrote to memory of 1060	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	88
PID 708 wrote to memory of 1060	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	88
PID 708 wrote to memory of 2728	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	89
PID 708 wrote to memory of 2728	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	89
PID 708 wrote to memory of 2728	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	89
PID 708 wrote to memory of 1632	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	92
PID 708 wrote to memory of 1632	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	92
PID 708 wrote to memory of 1632	708	420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe	92
PID 452 wrote to memory of 3456	452	cmd.exe	94
PID 452 wrote to memory of 3456	452	cmd.exe	94
PID 452 wrote to memory of 3456	452	cmd.exe	94
PID 3456 wrote to memory of 4768	3456	cmd.exe	95
PID 3456 wrote to memory of 4768	3456	cmd.exe	95
PID 3456 wrote to memory of 4768	3456	cmd.exe	95
PID 2728 wrote to memory of 5064	2728	cmd.exe	96
PID 2728 wrote to memory of 5064	2728	cmd.exe	96
PID 2728 wrote to memory of 5064	2728	cmd.exe	96
PID 1632 wrote to memory of 1888	1632	cmd.exe	97
PID 1632 wrote to memory of 1888	1632	cmd.exe	97
PID 1632 wrote to memory of 1888	1632	cmd.exe	97
PID 5064 wrote to memory of 4964	5064	cmd.exe	98
PID 5064 wrote to memory of 4964	5064	cmd.exe	98
PID 5064 wrote to memory of 4964	5064	cmd.exe	98
PID 1888 wrote to memory of 2672	1888	cmd.exe	99
PID 1888 wrote to memory of 2672	1888	cmd.exe	99
PID 1888 wrote to memory of 2672	1888	cmd.exe	99
PID 1060 wrote to memory of 5100	1060	ko2fuckoff.exe	100
PID 1060 wrote to memory of 5100	1060	ko2fuckoff.exe	100
PID 5100 wrote to memory of 4308	5100	regsvr32.exe	101
PID 5100 wrote to memory of 4308	5100	regsvr32.exe	101
PID 5100 wrote to memory of 4308	5100	regsvr32.exe	101

C:\Users\Admin\AppData\Local\Temp\420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\420510492da636173cac57ceca9ba4bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Local\isass.exe
  "C:\Users\Admin\AppData\Local\isass.exe"
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:4768
- C:\Users\Admin\AppData\Local\ko2fuckoff.exe
  "C:\Users\Admin\AppData\Local\ko2fuckoff.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s Data\Lib\Func.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\regsvr32.exe
      /s Data\Lib\Func.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\check.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V regsrvc /D "\"C:\Users\Admin\AppData\Local\isass.exe\"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:2672

Network

DNS

4.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.159.190.20.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

www.chaoskoxp.com

ko2fuckoff.exe

Remote address:

8.8.8.8:53

Request

www.chaoskoxp.com

IN A

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR
DNS

36.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.56.20.217.in-addr.arpa

IN PTR

Response
DNS

36.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.56.20.217.in-addr.arpa

IN PTR

No results found

8.8.8.8:53

4.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

4.159.190.20.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

www.chaoskoxp.com

dns

ko2fuckoff.exe

63 B
136 B
1
1

DNS Request

www.chaoskoxp.com
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.142.123.92.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

11.227.111.52.in-addr.arpa

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

36.56.20.217.in-addr.arpa

dns

142 B
131 B
2
1

DNS Request

36.56.20.217.in-addr.arpa

DNS Request

36.56.20.217.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Data\Lib\Func.dll

Filesize
24KB

MD5
18f1b9ee7028d06927793a7bef775042

SHA1
5a5d77d37039f87bad9a12b1502cc7d6885a4bd3

SHA256
e58deb81e9f780d8366610d85561a6cbb8af4ac64f2925089039ccaee4bcad83

SHA512
f58cb86bb773b2c2db5431bc6298b04f9b420ffb396648427029bdccd21f4bfcac5367149c123f00211adabde9b29dcacc3dce2d8682f41b45182b9c9fdf65e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.bat

Filesize
162B

MD5
1fe82309aa71db17b512cd0e70abf24e

SHA1
de388174e708108cde672d8f93fb756614b8ee93

SHA256
0a8129d9351f146392e0e2bf88f024b113d47524d13db9cd1a905a73d94f6b99

SHA512
c125fa0e846fd30d889999726e39c312579a79cf0852984aa66e27f8897ea1a6c12125f655b524e89d165a060d988bb049241b7cea444236f0475045d5b79d32

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
169KB

MD5
9611984959f46af1b44f16675293df38

SHA1
be4f8bb96d1e5b289a327b01773acd145dd6dd7b

SHA256
1db63137e0f2a371925c8d378fd48c8471a6cb9ea7db4f0ae249894d65af4b13

SHA512
06b7ef16c46b9295b7a8fb9dd36b1cca18b2b31c15521a5235071cc3cd3fe95824ef3d22aa5eb686cb1cd3041b399d0edbd82f3b7ed4eb63a8354c0f1ceed12a

Download Submit
C:\Users\Admin\AppData\Local\ko2fuckoff.exe

Filesize
1.2MB

MD5
806b2ec01dce55188b8dc6913052a25e

SHA1
40e83d827b602010b4abc0999c1369ada0be1aa6

SHA256
94584229ecc80c82b6841d446beb9dcc1c043393d8f5dd34cd585e9080f24aa5

SHA512
46d8df3f7f4286a59f3c9ae22ab8918b9f3427607cb8c2974a302d362f4a157357b98e477426984f633492f2936d7ac939983f89d59d08f5dbfe389c070cd136

Download Submit
memory/708-29-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/1060-30-0x00007FFA7E3C5000-0x00007FFA7E3C6000-memory.dmp

Filesize
4KB

Download
memory/1060-33-0x00007FFA7E110000-0x00007FFA7EAB1000-memory.dmp

Filesize
9.6MB

Download
memory/1060-34-0x00007FFA7E110000-0x00007FFA7EAB1000-memory.dmp

Filesize
9.6MB

Download
memory/1060-35-0x000000001C320000-0x000000001C7EE000-memory.dmp

Filesize
4.8MB

Download
memory/1060-36-0x000000001C890000-0x000000001C92C000-memory.dmp

Filesize
624KB

Download
memory/1060-37-0x00000000015C0000-0x00000000015C8000-memory.dmp

Filesize
32KB

Download
memory/1060-38-0x000000001C970000-0x000000001C9BC000-memory.dmp

Filesize
304KB

Download
memory/1060-32-0x000000001BDA0000-0x000000001BE46000-memory.dmp

Filesize
664KB

Download
memory/1060-46-0x0000000021ED0000-0x0000000022676000-memory.dmp

Filesize
7.6MB

Download
memory/1060-55-0x00007FFA7E3C5000-0x00007FFA7E3C6000-memory.dmp

Filesize
4KB

Download
memory/1060-56-0x00007FFA7E110000-0x00007FFA7EAB1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.