f7f636b1cd2fbc7b60690c170c2f46c2d6fcbd2aacf079aa10f1edbd44e8ade3

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe
Size

4.9MB
MD5

5a4fee966438cdad45546b81ef34d74a
SHA1

e17c9aa963a2fcf4356a243602c3d9aa3a938f34
SHA256

f7f636b1cd2fbc7b60690c170c2f46c2d6fcbd2aacf079aa10f1edbd44e8ade3
SHA512

6fe5bfc748f11edddeb893a5355d8ef9598c2a60f187c9fcebc623c0a4f73673a56467766969e41ce83f799216a0b0938161ce44d5dbd66bb422f9a091d3b74c
SSDEEP

98304:5ECRus8zZl856bYSEoNbRBrAtECszmaza0iIEy7U39ZJj4pd/fmvukIVNmNO4nhx:zRJ8mMY9GVV2ECy1OoaNZt4KvITkFnhx

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ST4UNST Uninstaller.LNK	SETUP.EXE

Executes dropped EXE 9 IoCs

pid	Process
1704	NH2004~1.EXE
1532	NHINST~1.EXE
2332	STUNTB.exe
1440	WHCC-2~1.EXE
2108	whInstaller.exe
2128	SETUP.EXE
2876	whAgent.exe
1580	setup132.exe
356	setup132.exe

Loads dropped DLL 35 IoCs

pid	Process
2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe
2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe
1704	NH2004~1.EXE
1704	NH2004~1.EXE
1704	NH2004~1.EXE
1704	NH2004~1.EXE
1532	NHINST~1.EXE
1532	NHINST~1.EXE
1532	NHINST~1.EXE
2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe
2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe
2332	STUNTB.exe
2332	STUNTB.exe
2332	STUNTB.exe
2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe
1440	WHCC-2~1.EXE
1440	WHCC-2~1.EXE
1440	WHCC-2~1.EXE
1440	WHCC-2~1.EXE
2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe
2108	whInstaller.exe
2108	whInstaller.exe
2108	whInstaller.exe
2128	SETUP.EXE
2128	SETUP.EXE
2128	SETUP.EXE
2108	whInstaller.exe
2108	whInstaller.exe
2876	whAgent.exe
2876	whAgent.exe
2876	whAgent.exe
2128	SETUP.EXE
1580	setup132.exe
356	setup132.exe
356	setup132.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4f2-264.dat	upx
behavioral1/memory/1704-273-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1704-297-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x000500000001a4f6-309.dat	upx
behavioral1/memory/1440-314-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1440-347-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\webHancer Agent = "\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""	whInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\webHancer Survey Companion = "\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""	whInstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\temp.000	SETUP.EXE

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\webHancer\Programs\readme.txt	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\SET13B3.tmp	whInstaller.exe
File opened for modification	C:\Program Files (x86)\whInstall\whAgent.ini	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\whInstaller.ini	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\whiehlpr.dll	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\Sporder.dll	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\webhdll.dll	WHCC-2~1.EXE
File opened for modification	C:\Program Files (x86)\whInstall\webhdll.dll	WHCC-2~1.EXE
File opened for modification	C:\Program Files (x86)\whInstall\whiehlpr.dll	WHCC-2~1.EXE
File created	C:\Program Files\webHancer\Programs\SET13A1.tmp	whInstaller.exe
File opened for modification	C:\Program Files (x86)\whInstall\license.txt	WHCC-2~1.EXE
File opened for modification	C:\Program Files (x86)\whInstall\readme.txt	WHCC-2~1.EXE
File opened for modification	C:\Program Files (x86)\whInstall\whAgent.exe	WHCC-2~1.EXE
File opened for modification	C:\Program Files\webHancer\Programs\whSurvey.exe	whInstaller.exe
File created	C:\Program Files\webHancer\Programs\SET13A2.tmp	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\SET13B4.tmp	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\whiehlpr.dll	whInstaller.exe
File created	C:\Program Files\webHancer\Programs\SET13B3.tmp	whInstaller.exe
File opened for modification	C:\Program Files (x86)\whInstall	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\whAgent.exe	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\whInstaller.exe	WHCC-2~1.EXE
File created	C:\Program Files\webHancer\Programs\SET13A0.tmp	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\whAgent.exe	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\whAgent.ini	whInstaller.exe
File opened for modification	C:\Program Files (x86)\whInstall\whAgent.inf	WHCC-2~1.EXE
File created	C:\Program Files\webHancer\Programs\SET13B4.tmp	whInstaller.exe
File created	C:\Program Files\webHancer\Programs\SET13B6.tmp	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\SET13A0.tmp	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\SET13A1.tmp	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\SET13A2.tmp	whInstaller.exe
File created	C:\Program Files (x86)\whInstall\readme.txt	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\whAgent.ini	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\whSurvey.exe	WHCC-2~1.EXE
File created	C:\Program Files\webHancer\Programs\SET13B5.tmp	whInstaller.exe
File opened for modification	C:\Program Files (x86)\whInstall\whInstaller.exe	WHCC-2~1.EXE
File opened for modification	C:\Program Files\webHancer\Programs\license.txt	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\sporder.dll	whInstaller.exe
File opened for modification	C:\Program Files (x86)\whInstall\whSurvey.exe	WHCC-2~1.EXE
File opened for modification	C:\Program Files (x86)\whInstall\Sporder.dll	WHCC-2~1.EXE
File opened for modification	C:\Program Files\webHancer\Programs\SET13B5.tmp	whInstaller.exe
File opened for modification	C:\Program Files\webHancer\Programs\SET13B6.tmp	whInstaller.exe
File created	C:\Program Files (x86)\whInstall\license.txt	WHCC-2~1.EXE
File opened for modification	C:\Program Files (x86)\whInstall\whInstaller.ini	WHCC-2~1.EXE
File created	C:\Program Files (x86)\whInstall\whAgent.inf	WHCC-2~1.EXE

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SET13B7.tmp	whInstaller.exe
File opened for modification	C:\Windows\SET13C7.tmp	whInstaller.exe
File opened for modification	C:\Windows\SET13C8.tmp	whInstaller.exe
File created	C:\Windows\SET13C8.tmp	whInstaller.exe
File opened for modification	C:\Windows\SET13B7.tmp	whInstaller.exe
File opened for modification	C:\Windows\webhdll.dll	whInstaller.exe
File created	C:\Windows\SET13C7.tmp	whInstaller.exe
File opened for modification	C:\Windows\whInstaller.exe	whInstaller.exe
File opened for modification	C:\Windows\ST4UNST.000	SETUP.EXE
File opened for modification	C:\Windows\whAgent.inf	whInstaller.exe
File created	C:\Windows\ST4UNST.000	SETUP.EXE
File created	C:\Windows\temp.000	SETUP.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	whInstaller.exe
File opened for modification	C:\Windows\whInstaller.ini	whInstaller.exe
File created	C:\Windows\SETUP.LST	SETUP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C4671C-499F-101B-BB78-00AA00383CBB}	setup132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C4671C-499F-101B-BB78-00AA00383CBB}\ = "VBA Collection Object"	setup132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C4671C-499F-101B-BB78-00AA00383CBB}\InprocServer32	setup132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C4671C-499F-101B-BB78-00AA00383CBB}\InprocServer32\	setup132.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2876	whAgent.exe
476	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2108	whInstaller.exe
Token: SeRestorePrivilege	2108	whInstaller.exe
Token: SeRestorePrivilege	2108	whInstaller.exe
Token: SeRestorePrivilege	2108	whInstaller.exe
Token: SeRestorePrivilege	2108	whInstaller.exe
Token: SeRestorePrivilege	2108	whInstaller.exe
Token: SeRestorePrivilege	2108	whInstaller.exe
Token: SeLoadDriverPrivilege	2876	whAgent.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
356	setup132.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1704	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1704	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1704	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1704	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1704	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1704	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1704	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	31
PID 1704 wrote to memory of 1532	1704	NH2004~1.EXE	32
PID 1704 wrote to memory of 1532	1704	NH2004~1.EXE	32
PID 1704 wrote to memory of 1532	1704	NH2004~1.EXE	32
PID 1704 wrote to memory of 1532	1704	NH2004~1.EXE	32
PID 1704 wrote to memory of 1532	1704	NH2004~1.EXE	32
PID 1704 wrote to memory of 1532	1704	NH2004~1.EXE	32
PID 1704 wrote to memory of 1532	1704	NH2004~1.EXE	32
PID 2308 wrote to memory of 2332	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2332	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2332	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2332	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2332	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2332	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2332	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	33
PID 2308 wrote to memory of 1440	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	34
PID 2308 wrote to memory of 1440	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	34
PID 2308 wrote to memory of 1440	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	34
PID 2308 wrote to memory of 1440	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	34
PID 2308 wrote to memory of 1440	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	34
PID 2308 wrote to memory of 1440	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	34
PID 2308 wrote to memory of 1440	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	34
PID 1440 wrote to memory of 2108	1440	WHCC-2~1.EXE	36
PID 1440 wrote to memory of 2108	1440	WHCC-2~1.EXE	36
PID 1440 wrote to memory of 2108	1440	WHCC-2~1.EXE	36
PID 1440 wrote to memory of 2108	1440	WHCC-2~1.EXE	36
PID 1440 wrote to memory of 2108	1440	WHCC-2~1.EXE	36
PID 1440 wrote to memory of 2108	1440	WHCC-2~1.EXE	36
PID 1440 wrote to memory of 2108	1440	WHCC-2~1.EXE	36
PID 2308 wrote to memory of 2128	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	37
PID 2308 wrote to memory of 2128	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	37
PID 2308 wrote to memory of 2128	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	37
PID 2308 wrote to memory of 2128	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	37
PID 2308 wrote to memory of 2128	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	37
PID 2308 wrote to memory of 2128	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	37
PID 2308 wrote to memory of 2128	2308	5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe	37
PID 2108 wrote to memory of 2876	2108	whInstaller.exe	38
PID 2108 wrote to memory of 2876	2108	whInstaller.exe	38
PID 2108 wrote to memory of 2876	2108	whInstaller.exe	38
PID 2108 wrote to memory of 2876	2108	whInstaller.exe	38
PID 2108 wrote to memory of 2876	2108	whInstaller.exe	38
PID 2108 wrote to memory of 2876	2108	whInstaller.exe	38
PID 2108 wrote to memory of 2876	2108	whInstaller.exe	38
PID 2128 wrote to memory of 1580	2128	SETUP.EXE	39
PID 2128 wrote to memory of 1580	2128	SETUP.EXE	39
PID 2128 wrote to memory of 1580	2128	SETUP.EXE	39
PID 2128 wrote to memory of 1580	2128	SETUP.EXE	39
PID 2128 wrote to memory of 1580	2128	SETUP.EXE	39
PID 2128 wrote to memory of 1580	2128	SETUP.EXE	39
PID 2128 wrote to memory of 1580	2128	SETUP.EXE	39
PID 2128 wrote to memory of 356	2128	SETUP.EXE	40
PID 2128 wrote to memory of 356	2128	SETUP.EXE	40
PID 2128 wrote to memory of 356	2128	SETUP.EXE	40
PID 2128 wrote to memory of 356	2128	SETUP.EXE	40
PID 2128 wrote to memory of 356	2128	SETUP.EXE	40
PID 2128 wrote to memory of 356	2128	SETUP.EXE	40
PID 2128 wrote to memory of 356	2128	SETUP.EXE	40

C:\Users\Admin\AppData\Local\Temp\5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a4fee966438cdad45546b81ef34d74a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308
- C:\temp\kwdbfm\help\NH2004~1.EXE
  C:\temp\kwdbfm\help\NH2004~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\NHINST~1.EXE
    NHINST~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1532
- C:\temp\kwdbfm\help\STUNTB.exe
  C:\temp\kwdbfm\help\STUNTB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2332
- C:\temp\kwdbfm\help\WHCC-2~1.EXE
  C:\temp\kwdbfm\help\WHCC-2~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Program Files (x86)\whInstall\whInstaller.exe
    "C:\Program Files (x86)\whInstall\whInstaller.exe" /silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Program Files\webHancer\programs\whAgent.exe
      whAgent.exe C:\PROGRA~1\WEBHAN~1\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: LoadsDriver
      Suspicious use of AdjustPrivilegeToken
      PID:2876
- C:\temp\kwdbfm\SETUP.EXE
  C:\temp\kwdbfm\SETUP.EXE
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\setup132.exe
    C:\Windows\setup132.exe /REGSERVER
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1580
- - C:\Windows\setup132.exe
    C:\Windows\setup132.exe "C:\temp\kwdbfm\" "C:\Windows\ST4UNST.000" "C:\Windows\ST4UNST.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\WHINST~1\license.txt

Filesize
7KB

MD5
c2cce761bc9b859c41f96afb1fd63da1

SHA1
cade3d687b83dbc377cdcd2d3ab2650475bef217

SHA256
7c3964aeb479fb2412ee78b0e758b56a9acc530ead974219430db9dce91d60e4

SHA512
e5be382d464c09fec222f615bedde386f13cf332df1975d54ed42d9809f0b0c382325c14106aee69f806ef87d970550e2b68ca55e6024d1db3c300d1d3e832ba

Download Submit
C:\PROGRA~2\WHINST~1\readme.txt

Filesize
1KB

MD5
e4c96fc384c06da6b6e186d3a1358ee2

SHA1
d9f40cc0e6f39629ec33388d99b6f989ead747c8

SHA256
a9170533207e1c27fc07043e0627e5b2243a50b1309f1203089d88a0a7c24e3b

SHA512
38512da3c4da6cb43f211a323d7e1101988de7006c7ed1aaa3b04c27194608364ecdab3b873e6d9806b1814f987d5753040d8eb6fa5c68f06c2b1606676652d6

Download Submit
C:\Program Files (x86)\whInstall\whAgent.inf

Filesize
4KB

MD5
6338e7ef6c6bd199c452c66482e89713

SHA1
8b45a4c4f3ae22742cfdd8f8530a436506d71524

SHA256
67e1eae61d3a0b204b0268b077071128a48b0bd39e9d72359dad48931e9c3634

SHA512
06a7f5b38beda9431863b4d47113d53051d88e1ec937866849266832938d10e75438bc416f19d49e6d0f6133a6d52eb9333f1bb781dd8d2359100fd44a61c282

Download Submit
C:\Program Files (x86)\whInstall\whInstaller.ini

Filesize
760B

MD5
3827bbfee1ee0bcf09a40a4ef761406d

SHA1
875c45d073630a9cb9a6c7b5e9a43663a7ed5102

SHA256
4f3eed09b035759ce63afb9954b2bf0f4a9938b644921450224a932aa16fadf9

SHA512
73ae5ed7bd67fcac49bd6c2a8a42f22cb1e644ff7a87be426f9e92430de2e543bcae4a06404b01d4b5370d6d65ed6be90f4064590797973f6a4c80ab1a91c834

Download Submit
C:\Program Files\webHancer\Programs\sporder.dll

Filesize
11KB

MD5
471789f182c0b60304ce19f023d8911d

SHA1
2c5e44949734650d50a6b8a47a73ee2296eb1bf7

SHA256
aa7db6f720c50f0705f36165c738ae5dbac3c348e814e81dfa6b018277663870

SHA512
c8cf49f5814375f9f72884f9753f08244f3af7ed26fa414e986ec367789e7135cccb2a4758139dd2157a3d982beea1fe99855796e2e4e050ba8c6d12be36205d

Download Submit
C:\Program Files\webHancer\Programs\whAgent.exe

Filesize
224KB

MD5
933edeebc9bd5203f6747e1ea152b52c

SHA1
bffc3cc9c3e39fec367068c08ab4f4d83e920094

SHA256
3b706dcd0fc886acc0fa38b98c83dfef49e0e635c24617f7f8160a26645167c6

SHA512
07b6ed77f5c36e3a7638dfa338d0d985e6582f5dfeca93264c835493d73699d878681b4d3a3ac7077314e62cb91f81e23235212e98de822364e214ec67d7b228

Download Submit
C:\Program Files\webHancer\Programs\whAgent.ini

Filesize
17B

MD5
55d46b99cc8f1a7328d7f9cc2de6b934

SHA1
7b8efea2b0987b4ab7022ed93bc4fa1761ca7f78

SHA256
7becf7301a84997861b517150016ca6d6a81da177acf55b2fdfaa5d19e91dce5

SHA512
4efc24db3e83e3a0a332ed405c2f66920e97a9a370f3afdd38a0138584b4607bd535cf913d5be10319287464dabf44851041593b53a323db14c81329cdae5d95

Download Submit
C:\Program Files\webHancer\Programs\whSurvey.exe

Filesize
140KB

MD5
91abe7b9fd549aac55612596aa3a77de

SHA1
2b2d2d8cc47ce7be0020e80613fa0cb8a8873515

SHA256
d2792847753b3c2daf93993391804655e1cee427180b99dc0f3a6cac28d6ee4d

SHA512
416cebda6992c354f9475fce3549d4310ffd5f992885d16c439d9f59c06300f06a3f67e830ce6f59ccded0ccb05c4421e6e1e67ab9a1b58360c71d0231109e89

Download Submit
C:\Program Files\webHancer\Programs\whiehlpr.dll

Filesize
104KB

MD5
fd7eabc5c5ffb21908ead00864dd95ff

SHA1
3090fdbd5f14cb7626964bca84970436222c391d

SHA256
5d5fe13924f091f605642473acc6aea2f08d704dda9d28c8b0fcf079678b1e23

SHA512
21490fd954cccc323008598d40a82f0ee3d0fc22b87b18e29a5e670758f8009801cda3058574983e9271c33dcc0cf7ac3eb5d85b0c79d254ac769287aa96a8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHINST~1.EXE

Filesize
140KB

MD5
2845a2243cae99a0891dee061b486636

SHA1
f6ef5a3fd66856fac11ba3511fed5dfa6e18e72f

SHA256
5338b10492284497a76cc76a185d1cfea383d3c2c4e1190508949b62661296ac

SHA512
44339c3efd79a4ee53b754ba058f4e2eb91881893681d8913ece32b6f6716687735823c87b3559d93fa1f47262e1739199e50b3155026b0ad191f4ca4aa01267

Download Submit
C:\Windows\ST4UNST.EXE

Filesize
59KB

MD5
385ea1b5e9d2229cf81f03392700efae

SHA1
4896933fddcbbbd7d4de321250e4af845f92461b

SHA256
80301bfeaac1ef4cc447308dac176969ffc4ef41f046bb00663e1d7886aff128

SHA512
1209dc40a14b8a992b6af8139448bc6ccad699e3f6b3cba6bdc0a6f192eaf861b58e413a8ed8ec7bf177bc5cc3d895b55fd1772a72f6c6d2ceb61d1ae875943c

Download Submit
C:\Windows\SysWOW64\stkit432.dll

Filesize
24KB

MD5
b21553227f7a0139735c0ef665580650

SHA1
3894a3bde256f45909f47d777e4a54eb9e21b0c6

SHA256
f7d529aab8a1dd65d939deae66298fe4ffd039ecfe9af87fa276cd5e4e66c35e

SHA512
9da6b853848c81a0255caef6108fddef8a93c1cf6ba54aeeb9ea8f4fcee15ec7c65ce28d191ff8422cc00b778fb3bc0678d3c567a30baecccca32d4415d0e54a

Download Submit
C:\Windows\setup132.exe

Filesize
167KB

MD5
6f32d2798d2b1758e1d5431bdf4d6a65

SHA1
651e5e227fd16f16152b9a0ba776869ce943771b

SHA256
14def9765dd4a7f823ce56f9c192282c706d09cb67c531138baa3c14ebe64149

SHA512
bf5e3fccf08e6ed9c5665c4586b1a3aa7873080947144a2d428724199e1e0daeb2c922974efe05a2fdb33d5e8fa4983de3912bc57203eb8acf12e2f3c1004856

Download Submit
C:\Windows\webhdll.dll

Filesize
40KB

MD5
759d525e3037d21b5e257a2ba080737d

SHA1
11d84f0e6f159125410a92701e3f71e3af620c30

SHA256
793b1f087aae59f3b749f65091abfcbb7cf60b873c4c98d39189ce25ab6387d1

SHA512
245a1e6fb7bb3171c2d8c2582f23060045b4b23cb5950cdba23aabc55675f8714b9fc1dead0b649da8e71088aa2c79ce408554fef7a4ef2c39bfc4688df326c4

Download Submit
C:\temp\Licence.txt

Filesize
3KB

MD5
f886a60f4631c043664199794be5219c

SHA1
f68828c95a619682176ca0142aaa368df7ce14a8

SHA256
e1170f808d57ff26b5be3f226b60837478a8b8fe7f4d1304aa6f007d59a6e37c

SHA512
b77dec9169f35ab7aab9b8dda82cb307d8d49853d09688a2d756c2e1b439073ae1d428e1d21e804627384de63b40678b026a90bf378c0c72359360b5b64ce105

Download Submit
C:\temp\NavExcel.txt

Filesize
8KB

MD5
5afa657d2103f0afa48beb5686917510

SHA1
8e3941daf6afb0b0eeadb63fc527bc1a355fe0c4

SHA256
cf8ccac7c9070befe2474650fe3d07128df4e2bbba6be93d9a5f5530a504a551

SHA512
fbd5af1ddb7a67cf5e1aa958efc1a3aae900014af62203b654b4da3ee7087f8d6afff6279c2e1183d932e2d5051db3b40a12fd8e1488191733caa0c16925a8e7

Download Submit
C:\temp\kwdbfm\SETUP.LST

Filesize
13KB

MD5
e5be3d961d528801288a6813c49e2f36

SHA1
02725cc997a2aa63f3d3d37abe8d38c6b2f0326f

SHA256
7bd2417956c67d53ff09e5610d350ef3e5bce174d48495e36c3b63929c82efa1

SHA512
c391958518cffb659b4712a4b074e229bc5b57c021914f1947666792b1312f7c4252bdf6edddedbb08f12eb0645de15736c4aeceb038b30882a431870b1056d2

Download Submit
C:\temp\kwdbfm\ST4UNST.EX_

Filesize
32KB

MD5
8e5fe36943340b3badd494f28cdc3ff9

SHA1
2164c51b5686ed5285edeaa286663872dfd704f7

SHA256
803d047fe1bacaaf28ca776e07001d7b10dd7b81509245b4db09239815d47a75

SHA512
319c74a58294b7be717fc5c8e60ce7904e0a183c4e6c10bff3538c6b0e462c6bb1709af97dd6e4cafdff0d8ae87b22181e6b6a07863f077cede14240657c00c4

Download Submit
C:\temp\kwdbfm\VB40032.DL_

Filesize
460KB

MD5
1522ec1c35db2eaa3333455d019d5568

SHA1
c53dc93b11abacfd305be52d85fc96496bb6f682

SHA256
695440a9d8e28740aa256cd194b44911f66c827354559608aa166e87413eb8ce

SHA512
473f53f5a4f9038efdfc2d9983abf84f26752250d8843ae3df47322c80d9412379797240af7ee540292da6eb1c7f5b2aa3330908785fbd13182bda5625193b63

Download Submit
C:\temp\kwdbfm\setup132.ex_

Filesize
67KB

MD5
df94bf0db3ba5f7e620b3748b53516c2

SHA1
cc8ab6a796a43aa60cb3472d5bbf2c2ff8cc63dc

SHA256
8b169fe8c68932c27ddaff232d7fd254a33f246cc7495c99c5c418d963850f41

SHA512
9683b81917157028ebb6988fd2322d6937ddcbb09fb45b61f78899bbe4ff52e101a8081323561754d94e56778a02a82d9edad516ef0b5825e4932db35dfd04c2

Download Submit
C:\temp\kwdbfm\stkit432.dl_

Filesize
12KB

MD5
90fda5e85a13abaa55cf721986724629

SHA1
30609cde5372adc297dfb6de55f0fa9141deede0

SHA256
d16ef02b89b5db9ec7f9c306c4768aee8cfc600e86d6bcbc08998e40c9bb578d

SHA512
f1628bc89b613522b860df7c2b8e74ddcf25a6de0f7873172b83338230efaa353a37e9709a18c2b68246ebd083407fe0198fb96c1c5f198d632416b27d334dc9

Download Submit
\Program Files (x86)\whInstall\whInstaller.exe

Filesize
32KB

MD5
d9fbbd131a0e48f466ebc92167e7e107

SHA1
9da7bb16dad9f94ee7240da0c99b053d0761d7e3

SHA256
bedc85601243422e581209c8c24649be4ad2e290b202916c7c2cb675cfc32aa2

SHA512
f8fa222290311efea506e176b08f1870efdb616136460e4a896b86b638b9be154101a6cf1aaec222a9d0926f8e69340a7aba9b8a5a84d4d7e60955523952b2bc

Download Submit
\Windows\SysWOW64\VB40032.DLL

Filesize
704KB

MD5
17db6a514b5fdc737dd44ba49ad6d76e

SHA1
eb61d1c7f72a45c12b1e96cea4daa5dd15384d99

SHA256
0f1604c9a7398cbb317383799b88c4e1aa7ce0b2c968392f0a7a9ddff22ec57d

SHA512
190f61e52821472ff1d80cd16141fb62461abdea256a93dc7e28b8010b03aa19ad228d4a5481aa1d57ea19e3fb574223ec862c7239645b5983fd1194eb012db8

Download Submit
\temp\kwdbfm\SETUP.EXE

Filesize
57KB

MD5
48a2c7c9da922042cf0b0361f5855850

SHA1
b6afcc48f501eaea4ded7773aab9b52fb2d42480

SHA256
0ddf428756e68f4fb903b40f73afc58888854f177ab080888903e2ed48b254d2

SHA512
cf4015296b6ac056b150ce820cdeb0a3d22185a4c6e964bc37093253915314cf4c9e820c5f94ea388e73f58aad2d7d300449b2a10a5bde905c164308e25b5724

Download Submit
\temp\kwdbfm\help\NH2004~1.EXE

Filesize
196KB

MD5
669110e44a9db0c9c0182afedd37058d

SHA1
0217504928c8b3ae8446d061924699b7f63ba9d6

SHA256
97122fae3c88040cc38ab6331a43c324ad22e52e1cf14b6ea4b1ec675daf0d74

SHA512
d44ed14f892bd16594fc6ba97d1f27ec4d63b2236d368b5a99f00d7dc98f1bedc0fb73071a2e622c5e9367f46614fa7018d6d63a5717971d9a65651bd775ecec

Download Submit
\temp\kwdbfm\help\STUNTB.exe

Filesize
320KB

MD5
2d7e625cd7e72931ea62454a38a18f4e

SHA1
93760d5a0a6c5ef51057ea3c24cc381b71242258

SHA256
a4f91e6078fa67f62f269cb87664df55b2f822b9f95c586c8fa178e92b778f50

SHA512
636a4b314bdbb85d3f85d128504841e5364a1ffca36df11d8461b7fe8de494b8817710bb1877a537bc81ce0efc7e35a259d019bfde4a3adcaaa8bccb01c9f37a

Download Submit
\temp\kwdbfm\help\WHCC-2~1.EXE

Filesize
222KB

MD5
1a5fbeaf64e9a43eef5238a4adab8509

SHA1
774a3d92b77ae179ce1af0d3d216ef9e56e509bb

SHA256
d70bb9cf0ddfa4c068fa2e464a0ebd86330d6a41fdaa0121ea2e53084ade6a45

SHA512
9a57d95770d9af6d2680d086d58ef73edeb3552071011cdc658241771fbcd5ccff164c3141e878fdc12adad2cd933075ae65e6af28c4033d04de1e69c71f2129

Download Submit
memory/356-518-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/356-524-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/356-516-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/356-526-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/356-533-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/356-517-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/356-514-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download
memory/356-525-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/356-519-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/356-520-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/356-512-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/356-531-0x00000000024D0000-0x00000000024D2000-memory.dmp

Filesize
8KB

Download
memory/356-530-0x00000000024C0000-0x00000000024C2000-memory.dmp

Filesize
8KB

Download
memory/356-515-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/356-528-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/356-527-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/356-521-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/356-513-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download
memory/356-529-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/356-523-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/356-522-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/1440-314-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1440-319-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/1440-347-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1704-273-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1704-297-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-532-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2308-266-0x00000000038C0000-0x00000000038EA000-memory.dmp

Filesize
168KB

Download
memory/2308-362-0x00000000038C0000-0x00000000038EA000-memory.dmp

Filesize
168KB

Download
memory/2308-272-0x00000000038C0000-0x00000000038EA000-memory.dmp

Filesize
168KB

Download
memory/2308-363-0x00000000038C0000-0x00000000038E3000-memory.dmp

Filesize
140KB

Download
memory/2308-8-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2308-313-0x00000000038C0000-0x00000000038E3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads