Analysis Overview
SHA256
8f3cda27b0be3d97f13087516187fc0f0c629804f629f048da096a182d3b1751
Threat Level: Known bad
The file 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RevengeRat Executable
Revengerat family
Modifies firewall policy service
Uses the VBS compiler for execution
Loads dropped DLL
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 17:37
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 17:37
Reported
2024-10-18 17:40
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\server.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2536 set thread context of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DEL.BAT
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 803.no-ip.org | udp |
| ID | 212.117.53.118:3080 | 803.no-ip.org | tcp |
| ID | 212.117.53.118:3080 | 803.no-ip.org | tcp |
| US | 8.8.8.8:53 | 1803.no-ip.org | udp |
| US | 8.8.8.8:53 | 2803.no-ip.org | udp |
| ID | 212.117.53.118:3080 | 2803.no-ip.org | tcp |
| US | 8.8.8.8:53 | 3803.no-ip.org | udp |
| US | 8.8.8.8:53 | 4803.no-ip.org | udp |
| US | 8.8.8.8:53 | 5803.no-ip.org | udp |
| US | 8.8.8.8:53 | 6803.no-ip.org | udp |
| US | 8.8.8.8:53 | 7803.no-ip.org | udp |
| US | 8.8.8.8:53 | 8803.no-ip.org | udp |
Files
memory/2536-0-0x0000000074661000-0x0000000074662000-memory.dmp
memory/2536-1-0x0000000074660000-0x0000000074C0B000-memory.dmp
memory/2536-2-0x0000000074660000-0x0000000074C0B000-memory.dmp
\Users\Admin\AppData\Local\Temp\CACAO.dll
| MD5 | 533cc8ec927f6d014a8fb880c25c16a9 |
| SHA1 | 0e32857bb7a8da6be1741dd4b126db189041422c |
| SHA256 | 6fa5ae312bffb0bc4a0f4a2bea3a7c5d0405d2cfeef02966f5b5e6fc49247c07 |
| SHA512 | 12d1ab6b3c7d2d27b6ca013b73bad3afaebfa49c049d58a8ebf8f235402b3af873eae10ecc659858ec594294c20a96ca1d198a2072728e32eb76b33ac9c8257d |
memory/2876-10-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-11-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DEL.BAT
| MD5 | 0eb1ce469214ebc99409fa2c14eb1a4f |
| SHA1 | a502e9f691f253ddaac1dd129aad2397b5d536b1 |
| SHA256 | 6ea933732db88fec7e7c692f6d7b4017a88b511a43da98225260649c37da3a6f |
| SHA512 | ebf7b4b463e38a6f5bf27f5e6cfda9f50e59d38fbb54dd910301d4f7f9b7a28038e51b24985f6357d0707ba521606f9487aabee4a6825e4d56b30900679686e5 |
memory/2876-15-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2876-12-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2536-28-0x0000000074660000-0x0000000074C0B000-memory.dmp
memory/2876-33-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-34-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-36-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-37-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-38-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-40-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-41-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-45-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-46-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-48-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-49-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2876-50-0x0000000000400000-0x0000000000478000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 17:37
Reported
2024-10-18 17:40
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\server.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 216 set thread context of 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DEL.BAT
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 803.no-ip.org | udp |
| ID | 212.117.53.118:3080 | 803.no-ip.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| ID | 212.117.53.118:3080 | 803.no-ip.org | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1803.no-ip.org | udp |
| US | 8.8.8.8:53 | 2803.no-ip.org | udp |
| ID | 212.117.53.118:3080 | 2803.no-ip.org | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3803.no-ip.org | udp |
| US | 8.8.8.8:53 | 4803.no-ip.org | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5803.no-ip.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6803.no-ip.org | udp |
| US | 8.8.8.8:53 | 7803.no-ip.org | udp |
| US | 8.8.8.8:53 | 8803.no-ip.org | udp |
Files
memory/216-0-0x0000000075292000-0x0000000075293000-memory.dmp
memory/216-1-0x0000000075290000-0x0000000075841000-memory.dmp
memory/216-2-0x0000000075290000-0x0000000075841000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CACAO.dll
| MD5 | 533cc8ec927f6d014a8fb880c25c16a9 |
| SHA1 | 0e32857bb7a8da6be1741dd4b126db189041422c |
| SHA256 | 6fa5ae312bffb0bc4a0f4a2bea3a7c5d0405d2cfeef02966f5b5e6fc49247c07 |
| SHA512 | 12d1ab6b3c7d2d27b6ca013b73bad3afaebfa49c049d58a8ebf8f235402b3af873eae10ecc659858ec594294c20a96ca1d198a2072728e32eb76b33ac9c8257d |
memory/2452-12-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-16-0x0000000000400000-0x0000000000478000-memory.dmp
memory/216-21-0x0000000075290000-0x0000000075841000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DEL.BAT
| MD5 | 0eb1ce469214ebc99409fa2c14eb1a4f |
| SHA1 | a502e9f691f253ddaac1dd129aad2397b5d536b1 |
| SHA256 | 6ea933732db88fec7e7c692f6d7b4017a88b511a43da98225260649c37da3a6f |
| SHA512 | ebf7b4b463e38a6f5bf27f5e6cfda9f50e59d38fbb54dd910301d4f7f9b7a28038e51b24985f6357d0707ba521606f9487aabee4a6825e4d56b30900679686e5 |
memory/2452-26-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-27-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-29-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-30-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-31-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-33-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-34-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-35-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-37-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-39-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2452-42-0x0000000000400000-0x0000000000478000-memory.dmp