Malware Analysis Report

2024-10-19 08:44

Sample ID 240726-entcjaydnc
Target 7285fe11585198388f629e081d1c0f83_JaffaCakes118
SHA256 df57bad53e8a72aad344e6cc2644fe757cf2ae0744a8c0f1c6c0caff63379203
Tags
revengerat discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df57bad53e8a72aad344e6cc2644fe757cf2ae0744a8c0f1c6c0caff63379203

Threat Level: Known bad

The file 7285fe11585198388f629e081d1c0f83_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

revengerat discovery evasion persistence stealer trojan

RevengeRAT

RevengeRat Executable

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks computer location settings

Drops startup file

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 04:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 04:05

Reported

2024-07-26 04:36

Platform

win7-20240704-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"

Signatures

RevengeRAT

trojan revengerat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Usermode Font Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Usermode Font Driver Host.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\getmac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
PID 2516 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
PID 2516 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
PID 2516 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
PID 2516 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getmac.exe
PID 2792 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getmac.exe
PID 2792 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getmac.exe
PID 2792 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getmac.exe
PID 2700 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
PID 2700 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
PID 2700 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
PID 2700 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
PID 2700 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
PID 2700 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
PID 2700 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
PID 2700 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
PID 2624 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
PID 2624 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
PID 2624 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
PID 2624 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
PID 1364 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe C:\Windows\SysWOW64\schtasks.exe
PID 1364 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe C:\Windows\SysWOW64\schtasks.exe
PID 1364 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe C:\Windows\SysWOW64\schtasks.exe
PID 1364 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe

"C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c getmac /v /fo list

C:\Windows\SysWOW64\getmac.exe

getmac /v /fo list

C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE

"C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE"

C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Chrome Updater" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8FF2FF46-EBFA-4F1A-911C-13D83DD5B12F} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 89712.ddns.net udp

Files

memory/2516-0-0x0000000001040000-0x0000000001312000-memory.dmp

memory/2516-1-0x0000000001040000-0x0000000001312000-memory.dmp

memory/2516-2-0x0000000001040000-0x0000000001312000-memory.dmp

memory/2516-3-0x00000000009A0000-0x00000000009D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe

MD5 76aca22cbb97f33600ac8a57643e9521
SHA1 7f0fbe012460ff4ed705f2002190b72f717eab8f
SHA256 d8ee7da90047416960c08869a251fac032fa0f9c8bf4ebb7de6ae92cdab5853a
SHA512 50d5cca22f2bb9229ab830b3783acda277716a5fe6c0c78060be727153cd1d35171cb1385dd2ad2a7b32a2c1b41fa6d954572f4843d270d8340df00744190ed0

memory/2700-10-0x0000000001290000-0x00000000012C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE

MD5 6a62d4ed369105b26b6133f536160791
SHA1 f9e232fb7f7316fbaafcb817235e2406ebd8db79
SHA256 fb18c286d846003d2d2888749176b5b032e506eef01a44d3befe0eeed8e99f70
SHA512 ea9f9e627cae6ff9204416c97c8ba2db11a14a8aead72a999159c36f8e90e6136e50aafb84d25ff8c1dc1b6ebe1304ea88d4e4bbf5a72515d59653b12c143980

C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe

MD5 996f495437c25b794acafc4b0f945a84
SHA1 e22fb0120b9988928303323593478edad4887fa3
SHA256 d063370cbe1e2d284518607c87c2bcefe02a9446bfbcdf4edf61e340f576d89f
SHA512 0fe1086461e38966feec4a43efca63f7585a77ca8ed439ba8e631bc7bdfdb3b34fc3d0a9a285868b47819de80fc2686358833acec28c0eff4e6c1fbed1890d63

memory/2516-27-0x0000000001040000-0x0000000001312000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 04:05

Reported

2024-07-26 04:36

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"

Signatures

RevengeRAT

trojan revengerat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Usermode Font Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Usermode Font Driver Host.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\getmac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
PID 5000 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe
PID 5000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getmac.exe
PID 2484 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getmac.exe
PID 2484 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\getmac.exe
PID 1960 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
PID 1960 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
PID 1960 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE
PID 1960 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
PID 1960 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
PID 1960 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe
PID 4388 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
PID 4388 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
PID 4388 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe
PID 620 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe C:\Windows\SysWOW64\schtasks.exe
PID 620 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe C:\Windows\SysWOW64\schtasks.exe
PID 620 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7285fe11585198388f629e081d1c0f83_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe

"C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c getmac /v /fo list

C:\Windows\SysWOW64\getmac.exe

getmac /v /fo list

C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE

"C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE"

C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Chrome Updater" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Usermode Font Driver Host.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 89712.ddns.net udp
US 8.8.8.8:53 udp

Files

memory/5000-0-0x00000000003D0000-0x00000000006A2000-memory.dmp

memory/5000-1-0x00000000003D0000-0x00000000006A2000-memory.dmp

memory/5000-2-0x00000000003D0000-0x00000000006A2000-memory.dmp

memory/5000-3-0x0000000006DC0000-0x0000000006DF6000-memory.dmp

memory/5000-4-0x00000000096C0000-0x000000000975C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GoldHaxV2.98464Bit.exe

MD5 76aca22cbb97f33600ac8a57643e9521
SHA1 7f0fbe012460ff4ed705f2002190b72f717eab8f
SHA256 d8ee7da90047416960c08869a251fac032fa0f9c8bf4ebb7de6ae92cdab5853a
SHA512 50d5cca22f2bb9229ab830b3783acda277716a5fe6c0c78060be727153cd1d35171cb1385dd2ad2a7b32a2c1b41fa6d954572f4843d270d8340df00744190ed0

memory/1960-16-0x0000000000460000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GoldHax V2.984 64 Bit.EXE

MD5 6a62d4ed369105b26b6133f536160791
SHA1 f9e232fb7f7316fbaafcb817235e2406ebd8db79
SHA256 fb18c286d846003d2d2888749176b5b032e506eef01a44d3befe0eeed8e99f70
SHA512 ea9f9e627cae6ff9204416c97c8ba2db11a14a8aead72a999159c36f8e90e6136e50aafb84d25ff8c1dc1b6ebe1304ea88d4e4bbf5a72515d59653b12c143980

C:\Users\Admin\AppData\Local\Temp\Windows Security Health Service.exe

MD5 996f495437c25b794acafc4b0f945a84
SHA1 e22fb0120b9988928303323593478edad4887fa3
SHA256 d063370cbe1e2d284518607c87c2bcefe02a9446bfbcdf4edf61e340f576d89f
SHA512 0fe1086461e38966feec4a43efca63f7585a77ca8ed439ba8e631bc7bdfdb3b34fc3d0a9a285868b47819de80fc2686358833acec28c0eff4e6c1fbed1890d63

memory/5000-38-0x00000000003D0000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Usermode Font Driver Host.exe.log

MD5 bd95ac96ff31d0b0495938dd64dae2e1
SHA1 2a3b064d19c455097a55d56212afda1bde598281
SHA256 6a7a49027aefabf3e2923afbb8ff2f1d7d35b95488dd410fa0ace874965c76a1
SHA512 3f489a6e9e8f8400bcb76207fc024653641a30a9ee02cc8175173c341976dcc1715a6dcc4ea5b9abad884bdd9730e5f4062194c9fe9736e9ca4e6351f800709f