Malware Analysis Report

2024-10-23 19:39

Sample ID 240815-pzskgssamh
Target 9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118
SHA256 a8bcefc2310761d35f797a3d74edf9bbd5e3b144453f26e71924dca43d1966f0
Tags
nanocore discovery evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8bcefc2310761d35f797a3d74edf9bbd5e3b144453f26e71924dca43d1966f0

Threat Level: Known bad

The file 9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore discovery evasion keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 12:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 12:46

Reported

2024-08-15 12:48

Platform

win7-20240708-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UDP Service\udpsv.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\UDP Service\udpsv.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2676 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2720 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp17A7.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp

Files

memory/2676-0-0x0000000074691000-0x0000000074692000-memory.dmp

memory/2676-1-0x0000000074690000-0x0000000074C3B000-memory.dmp

memory/2676-2-0x0000000074690000-0x0000000074C3B000-memory.dmp

memory/2676-3-0x0000000074690000-0x0000000074C3B000-memory.dmp

memory/2676-4-0x0000000074690000-0x0000000074C3B000-memory.dmp

memory/2720-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2720-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2720-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2720-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2720-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2720-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2720-7-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2720-5-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2720-23-0x0000000074690000-0x0000000074C3B000-memory.dmp

memory/2720-22-0x0000000074690000-0x0000000074C3B000-memory.dmp

memory/2720-21-0x0000000074690000-0x0000000074C3B000-memory.dmp

memory/2676-20-0x0000000074690000-0x0000000074C3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp

MD5 b954d76d84936b21fc40dc5beac30019
SHA1 097e35c7cb1af7fed2557808a9f0774b99f971b1
SHA256 9ec74267998e2e6001565bc1ab0ee4cd9b59f21c2dfe09e783a0292051239379
SHA512 0321afb348925dfbaa44d664be07fc89ab30dacdcde7a63c768803b21a95212b77d29de9047dd9741091a93e9799b76a617f97f1ed2e431712b778a4490fd976

C:\Users\Admin\AppData\Local\Temp\tmp17A7.tmp

MD5 0a24db62cb5b84309c4803346caaa25d
SHA1 67660778f61bb44168c33ed3fe56ed86cf9583e8
SHA256 38d38647af394a04ee6add9f05c43244f04e64a6b96257f4b241a5038efa82df
SHA512 d25d9df063f44595d5e0bf890755bd387655131ff369eeedf3d11ffcc6202ca4455bbb33a8a926dd06839cbd1ddec3d06809b3c66a82c6518aa14beaa469a548

memory/2720-31-0x0000000074690000-0x0000000074C3B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 12:46

Reported

2024-08-15 12:48

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Manager = "C:\\Program Files (x86)\\DPI Manager\\dpimgr.exe" C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Manager\dpimgr.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\DPI Manager\dpimgr.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 1280 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 1280 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 1280 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 1280 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 1280 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 1280 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 1280 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe
PID 3336 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3336 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3336 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3336 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3336 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3336 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp838.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8A7.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
PT 45.159.251.118:5654 cloudhost.myfirewall.org tcp

Files

memory/1280-0-0x0000000074FB2000-0x0000000074FB3000-memory.dmp

memory/1280-1-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/1280-2-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/1280-3-0x0000000074FB2000-0x0000000074FB3000-memory.dmp

memory/1280-4-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3336-5-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1280-8-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3336-9-0x0000000074FB0000-0x0000000075561000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\9a166a4ebfc7463904546bfa7daea8f1_JaffaCakes118.exe.log

MD5 cb76b18ebed3a9f05a14aed43d35fba6
SHA1 836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA256 8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA512 7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

memory/3336-10-0x0000000074FB0000-0x0000000075561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp838.tmp

MD5 b954d76d84936b21fc40dc5beac30019
SHA1 097e35c7cb1af7fed2557808a9f0774b99f971b1
SHA256 9ec74267998e2e6001565bc1ab0ee4cd9b59f21c2dfe09e783a0292051239379
SHA512 0321afb348925dfbaa44d664be07fc89ab30dacdcde7a63c768803b21a95212b77d29de9047dd9741091a93e9799b76a617f97f1ed2e431712b778a4490fd976

C:\Users\Admin\AppData\Local\Temp\tmp8A7.tmp

MD5 f5cfecb8113f1389673dca400a1825b4
SHA1 c274ce94b3ed69b5041782f8985ccdee953adab2
SHA256 fadc2a28023dcd8aca2aae413440fc5835a2a643aca07fcd9db8d9fe0b2d3ab7
SHA512 9288297097903cea4b68ee61c8f62cffd6ddd61396e9c9b68e527b88d1d4801dd8fd7083432f560b42a515e5f622f66baf2851aee6623534b8a07cfd2ee2686f

memory/3336-18-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3336-19-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3336-20-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/3336-21-0x0000000074FB0000-0x0000000075561000-memory.dmp