Malware Analysis Report

2024-10-23 19:38

Sample ID 240810-bq19daygqn
Target 844a5401ecb97ca4b3eb72421330c524_JaffaCakes118
SHA256 cff7917b775748ad82f20fede03809e1cf8d186747d82c5bbd5f4bf0a2c6ae32
Tags
nanocore discovery evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cff7917b775748ad82f20fede03809e1cf8d186747d82c5bbd5f4bf0a2c6ae32

Threat Level: Known bad

The file 844a5401ecb97ca4b3eb72421330c524_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore discovery evasion keylogger spyware stealer trojan

NanoCore

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 01:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 01:21

Reported

2024-08-10 01:24

Platform

win7-20240708-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 816 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 816 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 816 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 816 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 852 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 852 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OGnYlNzPvlYgZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AC6.tmp"

C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ARP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4C5C.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp

Files

memory/816-0-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

memory/816-1-0x00000000011F0000-0x0000000001292000-memory.dmp

memory/816-2-0x0000000074DB0000-0x000000007549E000-memory.dmp

memory/816-3-0x00000000004C0000-0x00000000004D2000-memory.dmp

memory/816-4-0x0000000074DB0000-0x000000007549E000-memory.dmp

memory/816-5-0x0000000005CE0000-0x0000000005D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4AC6.tmp

MD5 ccb3a72dbb4ba4806f69be1ee7a0c0ae
SHA1 0925bab870ad334e2f8faeb2b754cb127c26ef09
SHA256 e226430f35e38552fde9246d90f5140f903eeb3fd4ae8c6fc057163b88744947
SHA512 3ec2305dfb210a5f2755dfca37dca0af15cb037cebff4ca5e91165907984ae9dcef7a32dca1d68d47f3164819bd2879289b478e47e5eec7c92aee4a1916bd410

memory/852-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/852-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-25-0x0000000074DB0000-0x000000007549E000-memory.dmp

memory/852-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/852-26-0x0000000074DB0000-0x000000007549E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C5C.tmp

MD5 532f91d48cbf941807fa8b56411db984
SHA1 081b88449e35cda4bf1c0dd68268eeeb2db694b7
SHA256 9b86d8b3c342bc2dd4e8032f6055a3ecad31060e7ceefd3466cf98a14ff3114a
SHA512 c719453573084d95cb6b9e596cc74ef3144f8cacae08fdf7c32903fa2986f4a87858841805ae51ae1d10d2c204c76b15216fe1bc7e73fec6765ce2e1e2edb5e3

memory/852-31-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/852-32-0x0000000000500000-0x000000000051E000-memory.dmp

memory/852-33-0x0000000000560000-0x000000000056A000-memory.dmp

memory/816-34-0x0000000074DB0000-0x000000007549E000-memory.dmp

memory/852-35-0x0000000074DB0000-0x000000007549E000-memory.dmp

memory/852-36-0x0000000074DB0000-0x000000007549E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-10 01:21

Reported

2024-08-10 01:24

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4632 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 4632 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 4632 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 4632 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 4632 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 4632 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 4632 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 4632 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 4632 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe
PID 3364 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3364 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3364 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OGnYlNzPvlYgZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27C7.tmp"

C:\Users\Admin\AppData\Local\Temp\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2AE3.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 shahzad73.casacam.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.4.4:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.ddns.net udp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp
US 8.8.8.8:53 shahzad73.casacam.net udp
CH 91.192.100.8:9036 shahzad73.casacam.net tcp

Files

memory/4632-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

memory/4632-1-0x00000000009F0000-0x0000000000A92000-memory.dmp

memory/4632-2-0x0000000005A70000-0x0000000006014000-memory.dmp

memory/4632-3-0x00000000054C0000-0x0000000005552000-memory.dmp

memory/4632-4-0x0000000074F70000-0x0000000075720000-memory.dmp

memory/4632-5-0x0000000005460000-0x000000000546A000-memory.dmp

memory/4632-6-0x00000000080A0000-0x000000000813C000-memory.dmp

memory/4632-7-0x0000000008070000-0x0000000008082000-memory.dmp

memory/4632-8-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

memory/4632-9-0x0000000074F70000-0x0000000075720000-memory.dmp

memory/4632-10-0x0000000008140000-0x00000000081CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp27C7.tmp

MD5 a148c57eb8258e6d0b6a1b169977e8ad
SHA1 6ce065858f213a2695ea3e69fb22ccd216bfc346
SHA256 5a3ab884ced5f1cbcc8fbcd2128499e4835861b3dc7b2262d8fbc4f0d834f19a
SHA512 c0568ae18b753d411340418a84214144d5669b2171f8d4def6642558e7af47dac3ead41ab1b221995c0e0906d38379a100e629dc8999de46b456e9b71c13659c

memory/3364-14-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\844a5401ecb97ca4b3eb72421330c524_JaffaCakes118.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3364-17-0x0000000074F70000-0x0000000075720000-memory.dmp

memory/4632-18-0x0000000074F70000-0x0000000075720000-memory.dmp

memory/3364-19-0x0000000074F70000-0x0000000075720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2AE3.tmp

MD5 532f91d48cbf941807fa8b56411db984
SHA1 081b88449e35cda4bf1c0dd68268eeeb2db694b7
SHA256 9b86d8b3c342bc2dd4e8032f6055a3ecad31060e7ceefd3466cf98a14ff3114a
SHA512 c719453573084d95cb6b9e596cc74ef3144f8cacae08fdf7c32903fa2986f4a87858841805ae51ae1d10d2c204c76b15216fe1bc7e73fec6765ce2e1e2edb5e3

memory/3364-24-0x00000000066E0000-0x00000000066EA000-memory.dmp

memory/3364-25-0x0000000006770000-0x000000000678E000-memory.dmp

memory/3364-26-0x00000000068B0000-0x00000000068BA000-memory.dmp

memory/3364-27-0x0000000074F70000-0x0000000075720000-memory.dmp

memory/3364-28-0x0000000074F70000-0x0000000075720000-memory.dmp