Analysis Overview
SHA256
b22e580a067fe58a29798c9e293f50c87371c401675d4b1546c4475a87235dff
Threat Level: Known bad
The file 412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Revengerat family
Modifies firewall policy service
RevengeRat Executable
Loads dropped DLL
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 17:36
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 17:36
Reported
2024-10-13 17:38
Platform
win7-20240903-en
Max time kernel
148s
Max time network
138s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\P38LR221VZ.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1480 set thread context of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DEL.BAT
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 1bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 2bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 3bshadesrat1.no-ip.biz | udp |
| FR | 78.159.135.230:21 | 3bshadesrat1.no-ip.biz | tcp |
| US | 8.8.8.8:53 | 4bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 5bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 6bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 7bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 8bshadesrat1.no-ip.biz | udp |
Files
memory/1480-0-0x00000000741F1000-0x00000000741F2000-memory.dmp
memory/1480-1-0x00000000741F0000-0x000000007479B000-memory.dmp
memory/1480-2-0x00000000741F0000-0x000000007479B000-memory.dmp
\Users\Admin\AppData\Local\Temp\CACAO.dll
| MD5 | 533cc8ec927f6d014a8fb880c25c16a9 |
| SHA1 | 0e32857bb7a8da6be1741dd4b126db189041422c |
| SHA256 | 6fa5ae312bffb0bc4a0f4a2bea3a7c5d0405d2cfeef02966f5b5e6fc49247c07 |
| SHA512 | 12d1ab6b3c7d2d27b6ca013b73bad3afaebfa49c049d58a8ebf8f235402b3af873eae10ecc659858ec594294c20a96ca1d198a2072728e32eb76b33ac9c8257d |
memory/2932-10-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-12-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DEL.BAT
| MD5 | 0eb1ce469214ebc99409fa2c14eb1a4f |
| SHA1 | a502e9f691f253ddaac1dd129aad2397b5d536b1 |
| SHA256 | 6ea933732db88fec7e7c692f6d7b4017a88b511a43da98225260649c37da3a6f |
| SHA512 | ebf7b4b463e38a6f5bf27f5e6cfda9f50e59d38fbb54dd910301d4f7f9b7a28038e51b24985f6357d0707ba521606f9487aabee4a6825e4d56b30900679686e5 |
memory/2932-16-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2932-11-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1480-29-0x00000000741F0000-0x000000007479B000-memory.dmp
memory/2932-34-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-35-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-36-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-38-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-39-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-41-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-42-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-43-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-45-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-46-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-47-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-49-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2932-50-0x0000000000400000-0x0000000000478000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 17:36
Reported
2024-10-13 17:38
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\P38LR221VZ.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3044 set thread context of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\412f7ee013632fe0ad4eff568db0d94f_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DEL.BAT
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\P38LR221VZ.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 3bshadesrat1.no-ip.biz | udp |
| FR | 78.159.135.230:21 | 3bshadesrat1.no-ip.biz | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 5bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 7bshadesrat1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 8bshadesrat1.no-ip.biz | udp |
Files
memory/3044-0-0x00000000751A2000-0x00000000751A3000-memory.dmp
memory/3044-1-0x00000000751A0000-0x0000000075751000-memory.dmp
memory/3044-2-0x00000000751A0000-0x0000000075751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CACAO.dll
| MD5 | 533cc8ec927f6d014a8fb880c25c16a9 |
| SHA1 | 0e32857bb7a8da6be1741dd4b126db189041422c |
| SHA256 | 6fa5ae312bffb0bc4a0f4a2bea3a7c5d0405d2cfeef02966f5b5e6fc49247c07 |
| SHA512 | 12d1ab6b3c7d2d27b6ca013b73bad3afaebfa49c049d58a8ebf8f235402b3af873eae10ecc659858ec594294c20a96ca1d198a2072728e32eb76b33ac9c8257d |
memory/4148-13-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-16-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3044-21-0x00000000751A0000-0x0000000075751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DEL.BAT
| MD5 | 0eb1ce469214ebc99409fa2c14eb1a4f |
| SHA1 | a502e9f691f253ddaac1dd129aad2397b5d536b1 |
| SHA256 | 6ea933732db88fec7e7c692f6d7b4017a88b511a43da98225260649c37da3a6f |
| SHA512 | ebf7b4b463e38a6f5bf27f5e6cfda9f50e59d38fbb54dd910301d4f7f9b7a28038e51b24985f6357d0707ba521606f9487aabee4a6825e4d56b30900679686e5 |
memory/4148-26-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-27-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-29-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-30-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-31-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-33-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-34-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-35-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-37-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-38-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-39-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-42-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4148-43-0x0000000000400000-0x0000000000478000-memory.dmp