metasploit | 7938d27dfdce4fb1bcd000aa99da2a3933f6c1066ffb00044bb2b063abd71955

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
Size

608KB
MD5

b8eee470bd22ad85a34870892bdafba7
SHA1

5ac377dab4c37f69b796c12f7dc752a8d97b264b
SHA256

7938d27dfdce4fb1bcd000aa99da2a3933f6c1066ffb00044bb2b063abd71955
SHA512

23c35648e0cdedf7a4d8d81fca110a89705547d96270f2eaed4270f8196fda43df0b9a98eec06516f3bc333b2c7ad29cfa1e3814f81c467c3b93196d4f022d59
SSDEEP

12288:9HGWEue59s/agO8NnFM6Uf8fehqoBU6COEtHP8uE3YS/od1Y7QoS0y90:QZueDUagpN68Sn5COEZ8u3S/o2y

Score

10^/10

metasploit backdoor discovery persistence trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	StubInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	CloudAntivirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	PANDAC~1.EXE

Executes dropped EXE 6 IoCs

pid	Process
4728	http.exe
2708	PANDAC~1.EXE
1988	StubInstaller.exe
396	CloudAntivirus.exe
2152	Launcher.exe
1144	setup.exe

Loads dropped DLL 18 IoCs

pid	Process
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe
1144	setup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1080-0-0x0000000000040000-0x00000000000FF000-memory.dmp	upx
behavioral2/files/0x0009000000023445-6.dat	upx
behavioral2/memory/4728-8-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/4728-11-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/1080-35-0x0000000000040000-0x00000000000FF000-memory.dmp	upx
behavioral2/memory/1080-78-0x0000000000040000-0x00000000000FF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PANDAC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StubInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloudAntivirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	Launcher.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4728	1080	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	84
PID 1080 wrote to memory of 4728	1080	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	84
PID 1080 wrote to memory of 4728	1080	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	84
PID 1080 wrote to memory of 2708	1080	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	86
PID 1080 wrote to memory of 2708	1080	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	86
PID 1080 wrote to memory of 2708	1080	b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe	86
PID 2708 wrote to memory of 1988	2708	PANDAC~1.EXE	89
PID 2708 wrote to memory of 1988	2708	PANDAC~1.EXE	89
PID 2708 wrote to memory of 1988	2708	PANDAC~1.EXE	89
PID 1988 wrote to memory of 396	1988	StubInstaller.exe	97
PID 1988 wrote to memory of 396	1988	StubInstaller.exe	97
PID 1988 wrote to memory of 396	1988	StubInstaller.exe	97
PID 396 wrote to memory of 2152	396	CloudAntivirus.exe	101
PID 396 wrote to memory of 2152	396	CloudAntivirus.exe	101
PID 396 wrote to memory of 2152	396	CloudAntivirus.exe	101
PID 2152 wrote to memory of 1144	2152	Launcher.exe	103
PID 2152 wrote to memory of 1144	2152	Launcher.exe	103
PID 2152 wrote to memory of 1144	2152	Launcher.exe	103

C:\Users\Admin\AppData\Local\Temp\b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8eee470bd22ad85a34870892bdafba7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\http.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\http.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PANDAC~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PANDAC~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\StubInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\StubInstaller.exe" -DownloadUrl "http://acs.pandasoftware.com/cloud/CloudAntivirus.exe" -ActivationCode "PCAFSI1190"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\CloudAntivirus.exe
      "C:\Users\Admin\AppData\Local\Temp\CloudAntivirus.exe" -sp"/ActivationCode:PCAFSI1190"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Launcher.exe" /ActivationCode:PCAFSI1190
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe" /ActivationCode:PCAFSI1190
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CloudAntivirus.exe

Filesize
45.4MB

MD5
797be33d99c8f510c7ce1cd0dc65bb44

SHA1
68a408120d9e43e4984114cbf822cd9ff4b67cc0

SHA256
13f031328f8d1eb334182e263d0ff32b6abe3bba36a23e9604a59ef6502cb492

SHA512
fdce6869f23f708d032abd86bddabc86d671757773129a53a1937866ff6fb9c8749df5d9dff340734300d50870b27c8b37b847b5d69d2f377ec0e48bd28e8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PANDAC~1.EXE

Filesize
236KB

MD5
21d56b03f5b1ec8922641e8500a14f4c

SHA1
da24915f0180e7d48d48ff46b3c2391b244f9c14

SHA256
752363347786eed6504eb50fd2970879416ad54356389cc2e98cc8910763300e

SHA512
c7dc180e0cca2bd1258fd771405323d7edfa2a1abeb1274bcfad736a1358060a4e3110cd84364453bfb6345f4adf3e0f10053a34dd90b1026d3f12e89237581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\http.exe

Filesize
296KB

MD5
0587bf72060589b11f4e935b7c8b49ef

SHA1
50d0d0802e981b624ef343fb0af1f1239cf84aae

SHA256
787ccefde119500206e58b254037b92046372f516c5d2564050a6cbb958180fd

SHA512
77c1aafea672ceb032ffd54f204b7f29aa3cb491ad86c3b3f675b004efdca02b6b6c0431faf66d980cbfd4fe7e0083574a7fbfde5733c6034fa1247bf7f3500e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSLogs\Launcher_exe.log

Filesize
653B

MD5
653d0819d9f0e5af97bb61ebfe3117f3

SHA1
726b7098966bf8ead561462c92119f6f39dc3213

SHA256
1047d85c74104c28db57009db16fd7ff86c0f673de680ade2cc8436059717aab

SHA512
490001706bd96df161d8945275c876b563d4e905b137437dbbafb826f85df81ba144d76457f8dd7aa093066f97b97b0a1d9fbef80d91ce6e5b85abf149d48f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSLogs\setup_exe.log

Filesize
634B

MD5
03e45cd5d42c012f0e8610f046eef111

SHA1
fb0a255d87faa743344d50083e1e66b6610e818c

SHA256
a1f0141f33f805e91850f73cf75eb469ec85b7eb8e7c3ba7fdf1c76d73344d41

SHA512
c31f3d603837ae541ef6b19e0364c98220f9906879e57eec0783094d9292a70d9f8d4ae53ff1ecec2a3f6a296e08aa346b5676b8d7bf49c20969314332e772fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSLogs\setup_exe.log

Filesize
1KB

MD5
c80686bb4db8f399ffb2522de25d89cf

SHA1
06bfeeecbc4ef57a7be2f25ae8223e60911ec6f1

SHA256
492b027cf263f36a0bf5c8b2f7d74ccc4fd24e24d2edfffa63032ac66275fe9a

SHA512
34c886c33b1445c9f73a80fd5393bde9fa6aafbd09d1df6784a1a6d1e3bf69c6a113478837cedf78e0dac331641019ad45fd7721dae7960ae3a05a2621ffed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\StubInstaller.exe

Filesize
378KB

MD5
2a2e144b8ad3b83ee0be296a26ee8458

SHA1
2e5dc6fe6c06119a92abbb050b93e956bfdf5322

SHA256
520aa5898422ed68ebf34cea212c2481bd907652a532fe467abc942db5cbeafc

SHA512
e4e0395c40572cb40f563e9920da90f8a74d1a65120fbde3df553f41c0aa89bff214336c1144cca256f2182b3f972ff62af5068714bd6f093e8212b2b06fc916

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CommonAppData\COMMONALLUSERNANO\CfgData\04009000.dat

Filesize
14KB

MD5
9d372a25791d01a814bbf9a4dc4e6b34

SHA1
bf2f420bcaab527555c2a841e724647f0660d7c4

SHA256
109edbd3fcd005aa46fa04cf109a55739ae17e35ace7c8e4a40219eae7f4883a

SHA512
6870bd03a1c1bbeb4feb3d6f52de02547c7503162533a1d1f9b5e66e24ab424601d89853a4a708cca79114dfa54129d8e511189eee0a5062ed23785ed7021757

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CommonAppData\COMMONALLUSERNANO\CfgData\04009800.dat

Filesize
16KB

MD5
54427e7e9be6b6089fb6385c2b4fbd1a

SHA1
831a6f345fff49bc9773da1f1c0dde4de9ed843e

SHA256
2da68610339acc01554c76f38c77bf157462deb7842f3abefb63df9ff06836fd

SHA512
7475cd5b08a985a8d96034796e7dccbe1eeea027e53e54c2e3b90b2cc4b5522a884be896e99a9165ccfd8c3d3b26e37098637d5bf07ddb1960796a4b225da7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Launcher.exe

Filesize
236KB

MD5
4b90935a5ecf40405b7fd33e33b7c015

SHA1
1d8079422250d4adc9865fe7f56401677c86f3bc

SHA256
1b2e8f3e65ba379dea0dec641196d25cc6f63e7dbfd1e56565350b7ff608bbc0

SHA512
5a1a28bcf606e999c000b12b448fef3b9816f93b3722435fe35fdca3ce3b90f67377df0f30bbb64e8d95522d1983f7d5351c40997f340df8c311f2ca4ee88420

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PandaCloudAntivirus_x64.msi

Filesize
6.0MB

MD5
ca45a2fb351c471d5424b1a2ca413d35

SHA1
4f9935100908abd138dbbb8d6218ec79fc8142a1

SHA256
5a7a0f1cd1ed44d3db7d34d85ce56f197b53b27694b205d25c9bcd30b5d999e1

SHA512
3b250701adf02733e933a6d9a4bd2703f130fdb99054dad09b9785506c98a94766d7dc48c49b7cf0068b9fb84cc4d612a615ec6157ce6e69fd9da33bbaf283ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\Drivers\NNSNahsL\x86\nnsnahsl.inf

Filesize
3KB

MD5
de2e39394c278206d28aecb9b0a0c837

SHA1
dbdc6cb6285098399cb04f2f5fba2bba1d58321d

SHA256
95aca88ed66add352cb14b451fd483ca54ddf9dddb8edbd5d74b7c565858a80b

SHA512
272054dadf4747993a7ed9003d803ba9a692ebd643bb81f9da147b5cc65af1b7aa3f6f55de32005ce40d9a656d57be1235c05f4de9496d1d9b2402623e534efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSANLang.dll

Filesize
34KB

MD5
63abcbfa74b4019e126014d909ee20dc

SHA1
dcae3fadae92af8a5cd0c1a7dbb29a75708d9945

SHA256
e1713594d924eb4d4756165f368838e6bf0bac2cbe46ba64baa44fd26afee7b3

SHA512
a2a3c80cc5f9fb8e0953ac2ad0204c4a6ed90477c5a4beea1029affc170bb59f1427f4bb830b8881e083e2241567d43b05f2e056247e3e60e948f007c3d7f6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSNCCfgStore.dll

Filesize
128KB

MD5
4964c4d5a4d1ef255739ea6d42c129c0

SHA1
4bb6a30985b9ee87a2ae270bce929abc593e0303

SHA256
43589a39d707e9ea03e2d1115a39090249e7bdfa6d6a724e060b3b83e8fdfee6

SHA512
848ed0c7bac2396e302fd44a8ae2417d74f93a8d93bd37239aac7e24efb1a25b6ba31b950492c5ab167467223769fc9b91c79f94ced9e447fc4ae3a23bbd0bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll

Filesize
43KB

MD5
bb5404dc70155afea065a00598d9b074

SHA1
bf09d92d8b71c2e69cd69080bf0fce8e56d6e3a5

SHA256
971b317c7b1c75eaacc264d1ae8aad6c36bae1ce6ca91cde99e2c68e39bf5b96

SHA512
4b41456936fd307a2ba3d6a009b7fcc2706d80fedcda5066c03e0c99446410ac5cda1faf152795c104694ea0c397b3b6497c562c2897a23b08de94a4de57c29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSNCSA.dll

Filesize
46KB

MD5
1b7cd0900a5c1e5eb173c0b56f22113d

SHA1
8fa1a25fee3c3ee76997dfdfb65ebf00f7af25f0

SHA256
0fe566292298b6cd67d420ffb55eab1a4c4826fee91b144003397e71d83da62f

SHA512
dc26fe0d2ce0e4e6f48ad797caf9513d9c2b249ce862d3fa43c2619ba1431027c6eb22389690ad6bba5d5f54ae02a77fe6eba20f39ef0631fed282cc6dd49b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSUNResources.dll

Filesize
2.1MB

MD5
08a431382388407983682ff926d82241

SHA1
c6103aa785aaf0cdf97c68056384954e9d406d35

SHA256
f92011fc87408ff90695f7e414940fc926e68df1c109f7a9849a278b81cb58da

SHA512
0227e6e410a11dd08fb4e7547c31b2084527b41083eb87d73241076359216a36971b960c94a15213b1ee1e71ced8a62cf2a0ec900accb66f41f45b03b7479613

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\PSUNSkin.skn

Filesize
47KB

MD5
8c894ed0b9b41b640b48e67ff6780d59

SHA1
2ffa6a85bdc0537e4ccd37e80d8ed591686819b1

SHA256
8d88eb739bfee23c5a9accd9f7d23dca570b05adc0b91d13cf5550592c9ec0f2

SHA512
66157444059fa6bbc46bc11e6b18d476fa08a2a5b04b5b011e9ef382ff2463cf3e7bb787f66e0fb0d4661bdb1ca1b8739f4ed44d9d74f7cec407f83956dcc97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\dut\license.rtf

Filesize
67KB

MD5
e852f53fe22ed0db5e8dd04a07ff91fd

SHA1
d37941b24325e90385314b01570aad2ee634a5d0

SHA256
66d86c029706258fca0534d7a3b1b21f4478eff5f6b687e496fafaf1da2bd3b3

SHA512
e65cefd4936188f2219e53748cddfc411594231e56197ef6b2101d57d94729dfcffe8041af9ac39876810716d8c40060ff8fb93a82ba46a3970f5b79d804396f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\eng\BootStrap.pnd

Filesize
71KB

MD5
a64103401be39ef0823b3c4e1702abd1

SHA1
03f9bb7ab226d4a85d80c20bbc331e9209c686c6

SHA256
ac8da36dadb1a0dc37e6c2ef042918f6e38c076909d33a04c0dcb9850cb2d644

SHA512
a348ae0a2f0a48e3249cbe44c91de972fcb38c4f949f36e8d4181b75f82d77003a25ddbd1432309b2de4ad1967866a3ce31cbb954d61367ba35aa03c1dfb5f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\msvcp100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\psNXml.dll

Filesize
67KB

MD5
8a9a1ad5ba07e89b9d9a21db5d39ecda

SHA1
c6105024f8806373214319d43b4ea80a4ef6cb95

SHA256
f571a330821981f91c6561c3c4e5134d284a4610b6b2bca2e8b577358ff1e326

SHA512
3c4d913492dad77de32a2d4c431751d9c7065a3ff2818175fb8a7191c75e9878c2ccc11083020bc468c567e5fd11add396af6765386b92c75130e884b4df25b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Program Files\Panda Security\Panda Cloud Antivirus\pskalloc.dll

Filesize
45KB

MD5
3b0cd9e211d22dc6bfe4df2dcacdef2c

SHA1
ccb6ab6afb2ccff32f100107dd488812fc1c6e11

SHA256
a3978f0eb6fd0cb7d3f0bace41dbe6e30c8702dc8a9baf22a7a76fdc2eeb3f34

SHA512
a164e1f29bcd08b702ea90a4be0f240bafa7cc80ff96feacd5b93090398dbbf5b70a65b838fce21d1fb45f2a5cd9800397ae32c98e1baad069961febb1373438

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.dat

Filesize
3KB

MD5
6f1f55facbd138302002b149dbdfbddb

SHA1
42d68b91421b20b6650f8e15f0fe46ff6ae2ae3e

SHA256
70298da9cc99be7628a3e9eff18edcec69d45e151192bf253bc70de557a8f3d7

SHA512
f88306c4fe9d46740c2dca3ff83bf3e108523256e2684be292bc75404d9a606d3da0c517f68f107f6449b87ba36056e0b4c022946e8c9269e1c6ee9967fb87e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.ini

Filesize
459B

MD5
5904617e8234d975220cf173b56fb295

SHA1
b7919cf67e3a2c179a4c2574c14163526f74d9a7

SHA256
fb1bf5ddae85c1a66d8963cf919587baa2f5bc041dcb403ffcd29d379d2a9f2d

SHA512
33b9848899423ed96b49650402f4c4b221a1ea6ac7affcc219179e0c46c6678f44b9161aa22dcc30ac0c0d1f6072b572bc1b3de465249dd1174f20e683115b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\SetupUI.dll

Filesize
4.8MB

MD5
5d46c4ce9c906d97e89f87ca44a09bc9

SHA1
36ce4b522db487b75c712250d6f2486430434a50

SHA256
2490eee039e80dd1ed6d6077238f2b2eba5fe90ef42e598e63e8ffcebaa08d3d

SHA512
937c8986ff5daa1475856e20babb382e1e2fe9b1cbad71ce6c5cc58e5d70f59e9bac742ee755a1572151ab28dcf293921446e5ef84b0d719295107ed99b0f355

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe

Filesize
880KB

MD5
4dadeb18ecc69e34f4c25aba7deab191

SHA1
40cd99ea89c23582ac53fd841da85491eeeb8fef

SHA256
c2f4f99ec35b7fe3327469254e8caddc857b1c7fd942a81f1c71efa6d18ba465

SHA512
9d1235ef797f58c4fc80c06f55a6613baef2d02d433db99d3b9af2682fee21711af21e898e34679a0c30e9731a7eaefd4faa1fde0ea40114f03ad6fa2ae92172

Download Submit
memory/1080-35-0x0000000000040000-0x00000000000FF000-memory.dmp

Filesize
764KB

Download
memory/1080-0-0x0000000000040000-0x00000000000FF000-memory.dmp

Filesize
764KB

Download
memory/1080-78-0x0000000000040000-0x00000000000FF000-memory.dmp

Filesize
764KB

Download
memory/1144-1312-0x0000000032060000-0x0000000032531000-memory.dmp

Filesize
4.8MB

Download
memory/1144-1314-0x0000000032060000-0x0000000032531000-memory.dmp

Filesize
4.8MB

Download
memory/4728-11-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4728-9-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4728-8-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads