metasploit | 7938d27dfdce4fb1bcd000aa99da2a3933f6c1066ffb00044bb2b063abd71955

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
Size

608KB
MD5

b8eee470bd22ad85a34870892bdafba7
SHA1

5ac377dab4c37f69b796c12f7dc752a8d97b264b
SHA256

7938d27dfdce4fb1bcd000aa99da2a3933f6c1066ffb00044bb2b063abd71955
SHA512

23c35648e0cdedf7a4d8d81fca110a89705547d96270f2eaed4270f8196fda43df0b9a98eec06516f3bc333b2c7ad29cfa1e3814f81c467c3b93196d4f022d59
SSDEEP

12288:9HGWEue59s/agO8NnFM6Uf8fehqoBU6COEtHP8uE3YS/od1Y7QoS0y90:QZueDUagpN68Sn5COEZ8u3S/o2y

Score

10^/10

metasploit backdoor discovery persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2584	http.exe
2592	PANDAC~1.EXE
2648	StubInstaller.exe
2532	CloudAntivirus.exe
1256	Launcher.exe
2044	setup.exe

Loads dropped DLL 25 IoCs

pid	Process
300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
2592	PANDAC~1.EXE
2648	StubInstaller.exe
2648	StubInstaller.exe
2532	CloudAntivirus.exe
2532	CloudAntivirus.exe
2532	CloudAntivirus.exe
2532	CloudAntivirus.exe
1256	Launcher.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe
2044	setup.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/300-0-0x0000000000530000-0x00000000005EF000-memory.dmp	upx
behavioral1/files/0x000800000001930a-7.dat	upx
behavioral1/memory/2584-14-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2584-16-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/300-29-0x0000000000530000-0x00000000005EF000-memory.dmp	upx
behavioral1/memory/300-30-0x0000000000160000-0x00000000001DB000-memory.dmp	upx
behavioral1/memory/300-47-0x0000000000530000-0x00000000005EF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StubInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloudAntivirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PANDAC~1.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Launcher.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 300 wrote to memory of 2584	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	30
PID 300 wrote to memory of 2584	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	30
PID 300 wrote to memory of 2584	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	30
PID 300 wrote to memory of 2584	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	30
PID 300 wrote to memory of 2592	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	32
PID 300 wrote to memory of 2592	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	32
PID 300 wrote to memory of 2592	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	32
PID 300 wrote to memory of 2592	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	32
PID 300 wrote to memory of 2592	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	32
PID 300 wrote to memory of 2592	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	32
PID 300 wrote to memory of 2592	300	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	32
PID 2592 wrote to memory of 2648	2592	PANDAC~1.EXE	33
PID 2592 wrote to memory of 2648	2592	PANDAC~1.EXE	33
PID 2592 wrote to memory of 2648	2592	PANDAC~1.EXE	33
PID 2592 wrote to memory of 2648	2592	PANDAC~1.EXE	33
PID 2592 wrote to memory of 2648	2592	PANDAC~1.EXE	33
PID 2592 wrote to memory of 2648	2592	PANDAC~1.EXE	33
PID 2592 wrote to memory of 2648	2592	PANDAC~1.EXE	33
PID 2648 wrote to memory of 2532	2648	StubInstaller.exe	35
PID 2648 wrote to memory of 2532	2648	StubInstaller.exe	35
PID 2648 wrote to memory of 2532	2648	StubInstaller.exe	35
PID 2648 wrote to memory of 2532	2648	StubInstaller.exe	35
PID 2648 wrote to memory of 2532	2648	StubInstaller.exe	35
PID 2648 wrote to memory of 2532	2648	StubInstaller.exe	35
PID 2648 wrote to memory of 2532	2648	StubInstaller.exe	35
PID 2532 wrote to memory of 1256	2532	CloudAntivirus.exe	36
PID 2532 wrote to memory of 1256	2532	CloudAntivirus.exe	36
PID 2532 wrote to memory of 1256	2532	CloudAntivirus.exe	36
PID 2532 wrote to memory of 1256	2532	CloudAntivirus.exe	36
PID 2532 wrote to memory of 1256	2532	CloudAntivirus.exe	36
PID 2532 wrote to memory of 1256	2532	CloudAntivirus.exe	36
PID 2532 wrote to memory of 1256	2532	CloudAntivirus.exe	36
PID 1256 wrote to memory of 2044	1256	Launcher.exe	37
PID 1256 wrote to memory of 2044	1256	Launcher.exe	37
PID 1256 wrote to memory of 2044	1256	Launcher.exe	37
PID 1256 wrote to memory of 2044	1256	Launcher.exe	37
PID 1256 wrote to memory of 2044	1256	Launcher.exe	37
PID 1256 wrote to memory of 2044	1256	Launcher.exe	37
PID 1256 wrote to memory of 2044	1256	Launcher.exe	37

C:\Users\Admin\AppData\Local\Temp\b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\http.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\http.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PANDAC~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PANDAC~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\StubInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\StubInstaller.exe" -DownloadUrl "http://acs.pandasoftware.com/cloud/CloudAntivirus.exe" -ActivationCode "PCAFSI1190"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\CloudAntivirus.exe
      "C:\Users\Admin\AppData\Local\Temp\CloudAntivirus.exe" -sp"/ActivationCode:PCAFSI1190"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Launcher.exe" /ActivationCode:PCAFSI1190
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe" /ActivationCode:PCAFSI1190
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFD35.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSLogs\setup_exe.log

Filesize
634B

MD5
020ca96369e5ad8f3abb2e182f2117d0

SHA1
debad0071c0dc26e993104b55d79eccaa1894867

SHA256
eee5e4943675460113fb37524e4c4809adf4b8212620574a8a45eeffb233fa49

SHA512
26da45482161ac739176b4aeec1d5a9a52c5913641e1df48093a161024e3418e73fc6eb3d4defb2b983da972d2a9b9b469305e6d7cc9075bce97b9b81afbc38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSLogs\setup_exe.log

Filesize
1KB

MD5
80caf9c57de4978033a44c85880d05fd

SHA1
684bd43e4c3d083b1edea44812b0b775d7a4211c

SHA256
0e19135a2fccd0d84b2d37ab87d85651417b7700af71016cb6b81c2bb3c264ef

SHA512
638c128eea3499dec5194c5e29cf6ab73a8df84ae30aacd9c570c5d6d941ebe237b4336da707cde5752818ecc4fe2da53a395d233457a03cb1edf03e2977dbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CommonAppData\COMMONALLUSERNANO\CfgData\04009000.dat

Filesize
14KB

MD5
9d372a25791d01a814bbf9a4dc4e6b34

SHA1
bf2f420bcaab527555c2a841e724647f0660d7c4

SHA256
109edbd3fcd005aa46fa04cf109a55739ae17e35ace7c8e4a40219eae7f4883a

SHA512
6870bd03a1c1bbeb4feb3d6f52de02547c7503162533a1d1f9b5e66e24ab424601d89853a4a708cca79114dfa54129d8e511189eee0a5062ed23785ed7021757

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CommonAppData\COMMONALLUSERNANO\CfgData\04009800.dat

Filesize
16KB

MD5
54427e7e9be6b6089fb6385c2b4fbd1a

SHA1
831a6f345fff49bc9773da1f1c0dde4de9ed843e

SHA256
2da68610339acc01554c76f38c77bf157462deb7842f3abefb63df9ff06836fd

SHA512
7475cd5b08a985a8d96034796e7dccbe1eeea027e53e54c2e3b90b2cc4b5522a884be896e99a9165ccfd8c3d3b26e37098637d5bf07ddb1960796a4b225da7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PandaCloudAntivirus_x64.msi

Filesize
6.0MB

MD5
ca45a2fb351c471d5424b1a2ca413d35

SHA1
4f9935100908abd138dbbb8d6218ec79fc8142a1

SHA256
5a7a0f1cd1ed44d3db7d34d85ce56f197b53b27694b205d25c9bcd30b5d999e1

SHA512
3b250701adf02733e933a6d9a4bd2703f130fdb99054dad09b9785506c98a94766d7dc48c49b7cf0068b9fb84cc4d612a615ec6157ce6e69fd9da33bbaf283ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\Drivers\NNSNahsL\x86\nnsnahsl.inf

Filesize
3KB

MD5
de2e39394c278206d28aecb9b0a0c837

SHA1
dbdc6cb6285098399cb04f2f5fba2bba1d58321d

SHA256
95aca88ed66add352cb14b451fd483ca54ddf9dddb8edbd5d74b7c565858a80b

SHA512
272054dadf4747993a7ed9003d803ba9a692ebd643bb81f9da147b5cc65af1b7aa3f6f55de32005ce40d9a656d57be1235c05f4de9496d1d9b2402623e534efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSNCCfgStore.dll

Filesize
128KB

MD5
4964c4d5a4d1ef255739ea6d42c129c0

SHA1
4bb6a30985b9ee87a2ae270bce929abc593e0303

SHA256
43589a39d707e9ea03e2d1115a39090249e7bdfa6d6a724e060b3b83e8fdfee6

SHA512
848ed0c7bac2396e302fd44a8ae2417d74f93a8d93bd37239aac7e24efb1a25b6ba31b950492c5ab167467223769fc9b91c79f94ced9e447fc4ae3a23bbd0bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSUNSkin.skn

Filesize
47KB

MD5
8c894ed0b9b41b640b48e67ff6780d59

SHA1
2ffa6a85bdc0537e4ccd37e80d8ed591686819b1

SHA256
8d88eb739bfee23c5a9accd9f7d23dca570b05adc0b91d13cf5550592c9ec0f2

SHA512
66157444059fa6bbc46bc11e6b18d476fa08a2a5b04b5b011e9ef382ff2463cf3e7bb787f66e0fb0d4661bdb1ca1b8739f4ed44d9d74f7cec407f83956dcc97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\dut\license.rtf

Filesize
67KB

MD5
e852f53fe22ed0db5e8dd04a07ff91fd

SHA1
d37941b24325e90385314b01570aad2ee634a5d0

SHA256
66d86c029706258fca0534d7a3b1b21f4478eff5f6b687e496fafaf1da2bd3b3

SHA512
e65cefd4936188f2219e53748cddfc411594231e56197ef6b2101d57d94729dfcffe8041af9ac39876810716d8c40060ff8fb93a82ba46a3970f5b79d804396f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\eng\BootStrap.pnd

Filesize
71KB

MD5
a64103401be39ef0823b3c4e1702abd1

SHA1
03f9bb7ab226d4a85d80c20bbc331e9209c686c6

SHA256
ac8da36dadb1a0dc37e6c2ef042918f6e38c076909d33a04c0dcb9850cb2d644

SHA512
a348ae0a2f0a48e3249cbe44c91de972fcb38c4f949f36e8d4181b75f82d77003a25ddbd1432309b2de4ad1967866a3ce31cbb954d61367ba35aa03c1dfb5f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\psNXml.dll

Filesize
67KB

MD5
8a9a1ad5ba07e89b9d9a21db5d39ecda

SHA1
c6105024f8806373214319d43b4ea80a4ef6cb95

SHA256
f571a330821981f91c6561c3c4e5134d284a4610b6b2bca2e8b577358ff1e326

SHA512
3c4d913492dad77de32a2d4c431751d9c7065a3ff2818175fb8a7191c75e9878c2ccc11083020bc468c567e5fd11add396af6765386b92c75130e884b4df25b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.dat

Filesize
3KB

MD5
6f1f55facbd138302002b149dbdfbddb

SHA1
42d68b91421b20b6650f8e15f0fe46ff6ae2ae3e

SHA256
70298da9cc99be7628a3e9eff18edcec69d45e151192bf253bc70de557a8f3d7

SHA512
f88306c4fe9d46740c2dca3ff83bf3e108523256e2684be292bc75404d9a606d3da0c517f68f107f6449b87ba36056e0b4c022946e8c9269e1c6ee9967fb87e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.ini

Filesize
459B

MD5
5904617e8234d975220cf173b56fb295

SHA1
b7919cf67e3a2c179a4c2574c14163526f74d9a7

SHA256
fb1bf5ddae85c1a66d8963cf919587baa2f5bc041dcb403ffcd29d379d2a9f2d

SHA512
33b9848899423ed96b49650402f4c4b221a1ea6ac7affcc219179e0c46c6678f44b9161aa22dcc30ac0c0d1f6072b572bc1b3de465249dd1174f20e683115b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\SetupUI.dll

Filesize
4.8MB

MD5
5d46c4ce9c906d97e89f87ca44a09bc9

SHA1
36ce4b522db487b75c712250d6f2486430434a50

SHA256
2490eee039e80dd1ed6d6077238f2b2eba5fe90ef42e598e63e8ffcebaa08d3d

SHA512
937c8986ff5daa1475856e20babb382e1e2fe9b1cbad71ce6c5cc58e5d70f59e9bac742ee755a1572151ab28dcf293921446e5ef84b0d719295107ed99b0f355

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe

Filesize
880KB

MD5
4dadeb18ecc69e34f4c25aba7deab191

SHA1
40cd99ea89c23582ac53fd841da85491eeeb8fef

SHA256
c2f4f99ec35b7fe3327469254e8caddc857b1c7fd942a81f1c71efa6d18ba465

SHA512
9d1235ef797f58c4fc80c06f55a6613baef2d02d433db99d3b9af2682fee21711af21e898e34679a0c30e9731a7eaefd4faa1fde0ea40114f03ad6fa2ae92172

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFD67.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\CloudAntivirus.exe

Filesize
45.4MB

MD5
797be33d99c8f510c7ce1cd0dc65bb44

SHA1
68a408120d9e43e4984114cbf822cd9ff4b67cc0

SHA256
13f031328f8d1eb334182e263d0ff32b6abe3bba36a23e9604a59ef6502cb492

SHA512
fdce6869f23f708d032abd86bddabc86d671757773129a53a1937866ff6fb9c8749df5d9dff340734300d50870b27c8b37b847b5d69d2f377ec0e48bd28e8588

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PANDAC~1.EXE

Filesize
236KB

MD5
21d56b03f5b1ec8922641e8500a14f4c

SHA1
da24915f0180e7d48d48ff46b3c2391b244f9c14

SHA256
752363347786eed6504eb50fd2970879416ad54356389cc2e98cc8910763300e

SHA512
c7dc180e0cca2bd1258fd771405323d7edfa2a1abeb1274bcfad736a1358060a4e3110cd84364453bfb6345f4adf3e0f10053a34dd90b1026d3f12e89237581b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\http.exe

Filesize
296KB

MD5
0587bf72060589b11f4e935b7c8b49ef

SHA1
50d0d0802e981b624ef343fb0af1f1239cf84aae

SHA256
787ccefde119500206e58b254037b92046372f516c5d2564050a6cbb958180fd

SHA512
77c1aafea672ceb032ffd54f204b7f29aa3cb491ad86c3b3f675b004efdca02b6b6c0431faf66d980cbfd4fe7e0083574a7fbfde5733c6034fa1247bf7f3500e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\StubInstaller.exe

Filesize
378KB

MD5
2a2e144b8ad3b83ee0be296a26ee8458

SHA1
2e5dc6fe6c06119a92abbb050b93e956bfdf5322

SHA256
520aa5898422ed68ebf34cea212c2481bd907652a532fe467abc942db5cbeafc

SHA512
e4e0395c40572cb40f563e9920da90f8a74d1a65120fbde3df553f41c0aa89bff214336c1144cca256f2182b3f972ff62af5068714bd6f093e8212b2b06fc916

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Launcher.exe

Filesize
236KB

MD5
4b90935a5ecf40405b7fd33e33b7c015

SHA1
1d8079422250d4adc9865fe7f56401677c86f3bc

SHA256
1b2e8f3e65ba379dea0dec641196d25cc6f63e7dbfd1e56565350b7ff608bbc0

SHA512
5a1a28bcf606e999c000b12b448fef3b9816f93b3722435fe35fdca3ce3b90f67377df0f30bbb64e8d95522d1983f7d5351c40997f340df8c311f2ca4ee88420

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSANLang.dll

Filesize
34KB

MD5
63abcbfa74b4019e126014d909ee20dc

SHA1
dcae3fadae92af8a5cd0c1a7dbb29a75708d9945

SHA256
e1713594d924eb4d4756165f368838e6bf0bac2cbe46ba64baa44fd26afee7b3

SHA512
a2a3c80cc5f9fb8e0953ac2ad0204c4a6ed90477c5a4beea1029affc170bb59f1427f4bb830b8881e083e2241567d43b05f2e056247e3e60e948f007c3d7f6c1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll

Filesize
43KB

MD5
bb5404dc70155afea065a00598d9b074

SHA1
bf09d92d8b71c2e69cd69080bf0fce8e56d6e3a5

SHA256
971b317c7b1c75eaacc264d1ae8aad6c36bae1ce6ca91cde99e2c68e39bf5b96

SHA512
4b41456936fd307a2ba3d6a009b7fcc2706d80fedcda5066c03e0c99446410ac5cda1faf152795c104694ea0c397b3b6497c562c2897a23b08de94a4de57c29a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSNCSA.dll

Filesize
46KB

MD5
1b7cd0900a5c1e5eb173c0b56f22113d

SHA1
8fa1a25fee3c3ee76997dfdfb65ebf00f7af25f0

SHA256
0fe566292298b6cd67d420ffb55eab1a4c4826fee91b144003397e71d83da62f

SHA512
dc26fe0d2ce0e4e6f48ad797caf9513d9c2b249ce862d3fa43c2619ba1431027c6eb22389690ad6bba5d5f54ae02a77fe6eba20f39ef0631fed282cc6dd49b31

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSUNResources.dll

Filesize
2.1MB

MD5
08a431382388407983682ff926d82241

SHA1
c6103aa785aaf0cdf97c68056384954e9d406d35

SHA256
f92011fc87408ff90695f7e414940fc926e68df1c109f7a9849a278b81cb58da

SHA512
0227e6e410a11dd08fb4e7547c31b2084527b41083eb87d73241076359216a36971b960c94a15213b1ee1e71ced8a62cf2a0ec900accb66f41f45b03b7479613

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\msvcp100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\pskalloc.dll

Filesize
45KB

MD5
3b0cd9e211d22dc6bfe4df2dcacdef2c

SHA1
ccb6ab6afb2ccff32f100107dd488812fc1c6e11

SHA256
a3978f0eb6fd0cb7d3f0bace41dbe6e30c8702dc8a9baf22a7a76fdc2eeb3f34

SHA512
a164e1f29bcd08b702ea90a4be0f240bafa7cc80ff96feacd5b93090398dbbf5b70a65b838fce21d1fb45f2a5cd9800397ae32c98e1baad069961febb1373438

Download Submit
memory/300-47-0x0000000000530000-0x00000000005EF000-memory.dmp

Filesize
764KB

Download
memory/300-30-0x0000000000160000-0x00000000001DB000-memory.dmp

Filesize
492KB

Download
memory/300-29-0x0000000000530000-0x00000000005EF000-memory.dmp

Filesize
764KB

Download
memory/300-12-0x0000000000160000-0x00000000001DB000-memory.dmp

Filesize
492KB

Download
memory/300-13-0x0000000000160000-0x00000000001DB000-memory.dmp

Filesize
492KB

Download
memory/300-0-0x0000000000530000-0x00000000005EF000-memory.dmp

Filesize
764KB

Download
memory/2044-1350-0x0000000032060000-0x0000000032531000-memory.dmp

Filesize
4.8MB

Download
memory/2584-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2584-14-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2584-16-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads