6b5b52e0fd664268f4b1bb094c317cb3f58a4a564ec1deb71cb7fab9b9e40644

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe
Size

677KB
MD5

b2fa9d005036fd0f9ca9c14f00e6ade1
SHA1

5eedd70731fce08cea8bfa933da2a6bf9e37db63
SHA256

6b5b52e0fd664268f4b1bb094c317cb3f58a4a564ec1deb71cb7fab9b9e40644
SHA512

64dbed2c302d3ab18bef67994f30dfe52e62e4b1a49ce5ccb595fc899cbbe023cccd19d853465d2d3545620aa1e678f44c85ac486e35dbbd526af7d8b7347790
SSDEEP

12288:HkWAehJuqTfH75lPHFanS9EjT41+tbza4Ah54L5SgcA8hJpo1ikJm1RGRZt:HkWAAuqTH75lPFaL41W0OFSdxjpo0kJ9

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
1928	UnityWebPlayer.exe
2396	1.exe

Loads dropped DLL 5 IoCs

pid	Process
1928	UnityWebPlayer.exe
1928	UnityWebPlayer.exe
1928	UnityWebPlayer.exe
1928	UnityWebPlayer.exe
1928	UnityWebPlayer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\__tmp_rar_sfx_access_check_259444045	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe
File created	C:\Windows\1.exe	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe
File opened for modification	C:\Windows\1.exe	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe
File created	C:\Windows\UnityWebPlayer.exe	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe
File opened for modification	C:\Windows\UnityWebPlayer.exe	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UnityWebPlayer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\UnityWebPlayer.UnityWebPlayer.1\CLSID\ = "{444785F1-DE89-4295-863A-D46C3A781394}"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0\win32	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\UnityWebPlayer.UnityWebPlayer.1\ = "UnityWebPlayer Control"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ProgID	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ProgID\ = "UnityWebPlayer.UnityWebPlayer.1"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\VersionIndependentProgID	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\ = "UnityWebPlayerAXLib"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\AppID\UnityWebPluginAX.ocx	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Version\ = "1.0"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ = "_DUnityWebPlayerAXEvents"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\UnityWebPlayer.UnityWebPlayer	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\UnityWebPlayer.UnityWebPlayer\CLSID	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\ = "0"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\1\ = "131473"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\FLAGS	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\Version = "1.0"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\AppID\UnityWebPluginAX.ocx\AppID = "{F008CD3D-7044-4CD4-BE14-BF3FCCF144F9}"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\UnityWebPlayer.UnityWebPlayer.1\CLSID	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ = "UnityWebPlayer Control"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ToolboxBitmap32	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\TypeLib\ = "{75A564FE-95D1-41a9-B1D9-10D1E3CB502B}"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\HELPDIR	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\VersionIndependentProgID\ = "UnityWebPlayer.UnityWebPlayer"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ThreadingModel = "Apartment"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ = "_DUnityWebPlayerAXEvents"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ = "_DUnityWebPlayerAX"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\UnityWebPlayer.UnityWebPlayer\CurVer\ = "UnityWebPlayer.UnityWebPlayer.1"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\AppID = "{F008CD3D-7044-4CD4-BE14-BF3FCCF144F9}"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Control	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\AppID	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\Version = "1.0"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\UnityWebPlayer.UnityWebPlayer\CLSID\ = "{444785F1-DE89-4295-863A-D46C3A781394}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx, 102"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Version	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Programmable	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\TypeLib	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib\Version = "1.0"	UnityWebPlayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1928	UnityWebPlayer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1928	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1928	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1928	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1928	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1928	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1928	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1928	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2396	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2396	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2396	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2396	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2396	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2396	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2396	2500	b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2fa9d005036fd0f9ca9c14f00e6ade1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\UnityWebPlayer.exe
  "C:\Windows\UnityWebPlayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1928
- C:\Windows\1.exe
  "C:\Windows\1.exe"
  2⤵
  - Executes dropped EXE
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoCDDC.tmp\UtilsPlugin.dll

Filesize
10KB

MD5
73ee934f37fc4d3dfa890ea5ec30db1d

SHA1
ede6561cb69c3b9c6dc6a05b82cbee9b48e487cd

SHA256
23be0b6141f07696b5ac41dbf633c5f18592b5c15d39a3eb8b5ffb65c7eb6aac

SHA512
a0ee0b3ad08240ee20b154a5237471c46bcaf7f9753fca3428a48ccb9a31c05054d469dc87b96e5d44a15370ca45ae4d255db5cbc750e49aaa1fae4610c36568

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCDDC.tmp\ioSpecial.ini

Filesize
1KB

MD5
676db31e4044446fc8b5ef1ebaa76546

SHA1
227fcde86e6100bd2df27109cbe1fd7c63ee490a

SHA256
78a81c5ba2e06f40b74a3ae97d6da7e40ed365234e0b43b4df456461a4498143

SHA512
77b691bc4ffcf8dcdac10c8d82c0c6328be390a4429786f10b42d7569ce896db6605c887182d53f504b50a8a728f3e32553464c9bd588a0f69ed2aaea93b2fe4

Download Submit
C:\Windows\1.exe

Filesize
98KB

MD5
5fbb5ce50be5d947a518312eb4ae3611

SHA1
add5924f45fe7bf92010fd8b3426a7a25384dcfa

SHA256
b6df92807ec932fab22d811d23c78f53060eeee0b6070fa7713ec82fa2f3c59b

SHA512
404b9b4541a6263951e56cd85cf96248acd88f1c78133f2a2005bd4c8d77a1407b6d7515e9ae0f4f0f9fb4ccb81e6f7159f8e2c9826da22554030278d774da83

Download Submit
C:\Windows\UnityWebPlayer.exe

Filesize
573KB

MD5
d94bd72e1408ce7ffdbd560be837dd09

SHA1
6c81f58bac97935a3d4202a7e77908ad7153ab6a

SHA256
7277f2b6338380a556ea2d34d844b3492df552430b505e07da9ecd7c8db6cf97

SHA512
b904b93ff5c194a951ec9727a194714b05447bf48a3cb41b7836cde4179d57e0c337a836007483e962610c4246d8562884f480afe7756a46c8c705dd469d73f5

Download Submit
\Users\Admin\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx

Filesize
168KB

MD5
8848c71c4195d1f5c1c4a0190b2650d5

SHA1
ff722087919ebb2e5da5ff759401062f24f42432

SHA256
fdc509bd26642700e71ff9c0d508e2d5275581f0896b90a2408f6c67730eb702

SHA512
3ecf9b2d0ed1c0d9b974eaae2404156885f065b97882e8f94cf46eca08092b64afe6c399e8c4c14c3ed171b4d9090d29ebffa506453897aad43f7b3443cdbbfb

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCDDC.tmp\InstallOptions.dll

Filesize
15KB

MD5
605878b664b6c4ddefd73918fc45a440

SHA1
68328d6a9ce62a668bbe12878af26c1f1d0e3f82

SHA256
7b3a3bf008489b61de83b94a63db4556cae5de80701a2e1ebdf9a025b3b631c4

SHA512
c83eea75288272c3fb72aca2486581127dc4875ee80165511c38d32d3cb7e553836249df79358fc5d0ec5d7aef183c888c2df03ea688d163984cdd919255da26

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCDDC.tmp\System.dll

Filesize
11KB

MD5
d0d7d2799802f7cddf8db7a2d8ae1e23

SHA1
ae8d8cfd9f1a7104036a9e8658f50f9c35c7a1c6

SHA256
828819614dc0dbfb73f22d4c3712e6369230eab92819c5d4efe75870ee109a5a

SHA512
2b5af0e34720eb2f5b0aa04b589b46fb4b4d344b5c5d23fdd382348b051ac9766ff80f6a2455ef66da78ba880e8ce41b23daf741033de7701ca3f17f1adde408

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCDDC.tmp\UserInfo.dll

Filesize
4KB

MD5
13a689123cebd31c1d1862e05981beca

SHA1
0430094a1a0f639ba9bf5831c24f1f4330762a6d

SHA256
386933bdaf4774e88670e21abbebdeddf64b1e87b1681f85ac5b3ec1cac8dcdf

SHA512
0663148e80f4703000bbfc8ede2bcc7cad19877585a5cc46aa13a7003377d7315d33f01c1d311d38bcf5e3782e4b361510214f09a9f6537b856c5ad9bc41fdae

Download Submit