Analysis Overview
SHA256
6e058ce4dc4d3a35811341392350c57700c10754e737daecce149f5ad17cf4f6
Threat Level: Shows suspicious behavior
The file 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: JavaScript
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 08:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral28
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\options.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.29.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.29.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20241010-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\feedFunctions.js
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\dialog.js
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\globals.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\options.js
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\toolbarBuilder.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240708-en
Max time kernel
101s
Max time network
17s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsjA268.tmp\System.dll
| MD5 | 6621d1f4e191c018a0d8abb5c610d1aa |
| SHA1 | c3af35a5df9361e2805bd84d3e3144e0b9c44d5b |
| SHA256 | d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5 |
| SHA512 | 6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5 |
\Users\Admin\AppData\Local\Temp\nsjA268.tmp\InstallOptions.dll
| MD5 | 29459d9ee2bce32ed937fb1f965f9d5e |
| SHA1 | 8fff45ed45f3af8f8c248eba9a1c02c9c5fc911d |
| SHA256 | ad07968b7d93ef19e10e1deb52e0c912e96dde30c0a49a0239daf176fd4c9ef5 |
| SHA512 | d4ef4eadb0f53e7086a1d242bf7f745ad79d83d9ecbfaa283cf0dd499271a804589a575040bb20d5c98e86197cc65ca05ab1a358c556ea82a3e297d0255015a6 |
C:\Users\Admin\AppData\Local\Temp\nsjA268.tmp\welcome.ini
| MD5 | 84e2901534c5e0f2d343a799d0253ad2 |
| SHA1 | c5b68d71c67d9774a297496ad21cbdde61938886 |
| SHA256 | e23b391285c9899dad9ff2bdd0c02b74be32eb8cfe181a47c220b53b826cc01d |
| SHA512 | a748212cb5eb3c709fce8c0fe22b6c0455f20761f34128e7a52c2da714cb4cc18d58bb3f1bd6eb69eb5e46d127a847a91b248aaf513b11b50ed2fc6e31e17a70 |
C:\Users\Admin\AppData\Local\Temp\nsjA268.tmp\welcome.ini
| MD5 | b0a28863ada2c5ed535f28db721bffcf |
| SHA1 | 4cca344c8dcc7b463dbbe8e5674635c8ca19bd66 |
| SHA256 | bf6f03f0abb5f88dac58898c483f55f87911b62682088d3dd41cf7e1e6860fce |
| SHA512 | 304db6818d0c1e27e58d089473d7973321324e9b4264dd86e45ef2d6cf20863bef792ef507584bab569daa89a6b0815c2f5fd5b8c02d0d4e9aed8a4b48bdbaa6 |
C:\Users\Admin\AppData\Local\Temp\nsjA268.tmp\privacy.ini
| MD5 | bdc99c3ef9546974b650e8ca41bfd2a8 |
| SHA1 | 825c16177248e31bff25878ffcc625837bc7d7f7 |
| SHA256 | 6f660cdcd8384b3ad37221bb03975bb380ae9a940b4b7aa35a6afbaf7ee35b75 |
| SHA512 | fe80252d896309d003df350cac597153f2b82735715eaf305d4db1f90431cb92b7e95434a97c4ed2d01579e6374f05cb5a4be1685ad1d08611bb2b21c111ab89 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\i18n.js
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
130s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\i18n.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\installerVariables.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\history.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3764 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2760 -ip 2760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
104s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\System.dll
| MD5 | 6621d1f4e191c018a0d8abb5c610d1aa |
| SHA1 | c3af35a5df9361e2805bd84d3e3144e0b9c44d5b |
| SHA256 | d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5 |
| SHA512 | 6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5 |
C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\welcome.ini
| MD5 | 2e41a0be15c814d374a859f578c5a09b |
| SHA1 | ff7c8b9316a078f1eb34a71b47a11be2f8fb045c |
| SHA256 | f2695bce869d1abcac4d37a6abd17876885f4fcc0682e9d37981455ad2e45e0d |
| SHA512 | de6901187bb929e86abbd508965115bdf02fce6f62867056ee9c4f6cf6aad4092700cf055b5768397ca8142603ae169aa7ad12a6dacbbc0dc09033253a50374f |
C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\InstallOptions.dll
| MD5 | 29459d9ee2bce32ed937fb1f965f9d5e |
| SHA1 | 8fff45ed45f3af8f8c248eba9a1c02c9c5fc911d |
| SHA256 | ad07968b7d93ef19e10e1deb52e0c912e96dde30c0a49a0239daf176fd4c9ef5 |
| SHA512 | d4ef4eadb0f53e7086a1d242bf7f745ad79d83d9ecbfaa283cf0dd499271a804589a575040bb20d5c98e86197cc65ca05ab1a358c556ea82a3e297d0255015a6 |
C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\welcome.ini
| MD5 | ab52f1133ee813a32a144496c7c2486d |
| SHA1 | 359cbc373f9c3f57b6947af0251c77b233304b4c |
| SHA256 | 598f8f9e25abefa80a91f753a8cceca118c058d1b106b5abdca2f7b77e580569 |
| SHA512 | 7f3cc5ea507d3b4e24ced99a8ac391a5704ee8b1589482e184e1bd717c4995e8259f0957a7213d70bed7927b6d968e6c9a6f519367e9416da02b3c4e84925611 |
C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\privacy.ini
| MD5 | c1a915d2ce6ef3bee3e324bf389605b8 |
| SHA1 | 462df4cf78728f740522eb6161af62260ab16e3a |
| SHA256 | e5f08cfe7ca071b8c4deb6194b323dd3f352a56ad62b59d00ccd6ab303e23a55 |
| SHA512 | 839f9bf737f989afd78afd48ff671c19b744d43d731203e10f12cb6b706a5d4540eb45f3134c32c93ebc88150e1f829da86ac9179c79f4b24f02c3f984b759b0 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\fileio.js
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
"C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe"
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
"C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe" /yallowjp /ytffver=1.4.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | versions.divx.com | udp |
| NL | 18.239.15.140:80 | versions.divx.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\System.dll
| MD5 | ed228603bf5d6ba382b59274dba35a0a |
| SHA1 | 037d40e0399902b5119d48995dfd2e96bc6de9a4 |
| SHA256 | a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37 |
| SHA512 | 9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9 |
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\PCloser.dll
| MD5 | 472f68bb5ba2cc581a9dc320c864f84c |
| SHA1 | 245c09e194c6b4899314d9c6b041153b33f26ca7 |
| SHA256 | f4d0fe1ee43fed2df0fc1156f959b62d8963d63f11afd7cef801c62b617e9a84 |
| SHA512 | 7fc6c06fdf0e2aeffb0a2effd61839e6b3abe1dda808329bd59e5e72621f6c61bfd8d71f2b1c95f072626e0d2bfe0d8c60425096359f74e846950bc38a5fae9a |
memory/1120-25-0x00000000003E0000-0x00000000003F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
| MD5 | d1b411fc28aa7839bb236febc0950c96 |
| SHA1 | 58c65d6501c16cb57cc7254d4292e6fd9deba2bb |
| SHA256 | d6088d64ea8d85e6439b0845b7ef1086403b3103f5a5e04e0d32a1f9f965b57b |
| SHA512 | be36614d0d07869bb94f3fe50454970ca7426fd19c6915687fd64a665bc84a015e745c4d7dcda0bf5bf3096820f9bd2a086ae313947bb064206f1a86f8fdf9ee |
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
| MD5 | 4926b97e0cfc4edbda0ef962624e27a6 |
| SHA1 | fdc9e0d5fd03f72dda1ac58cd7e4fb211e47317b |
| SHA256 | 12d70ee985fb5a7ea790d88ae3b5df3f5c1f39b54544c91ea715b0bb053dcd51 |
| SHA512 | acd29b3aa9e220d7d7f893c5c18b08a7517614b0a6228c0b44ebf31d3cfbf74b76894abb5a4cbbb3db540db3e1972eef8f4ba9b3b78f179ef6d6b18e64c4145d |
\Users\Admin\AppData\Local\Temp\nsi511D.tmp\System.dll
| MD5 | 6621d1f4e191c018a0d8abb5c610d1aa |
| SHA1 | c3af35a5df9361e2805bd84d3e3144e0b9c44d5b |
| SHA256 | d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5 |
| SHA512 | 6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5 |
\Users\Admin\AppData\Local\Temp\nso513D.tmp\ConnectionTester.dll
| MD5 | c0d23f9dd2f29b0ab20f2005b29b6a12 |
| SHA1 | 412b1ff53c9d5d390d344787541450e091ea502b |
| SHA256 | fcbf18736b567fff8839023bb1c3acb11a61ac58cee83e08cd40d333a1e13fe6 |
| SHA512 | 75986c332c97397dd2ac6905a5ed03cee2b92c187ba2600c4c5eadede3333e166c0e0f3fd9f2a4fe1a36319596d20d93a4371b751c20929cbffed8b54f613744 |
memory/2764-100-0x0000000001E10000-0x0000000001E29000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\InstallOptions.dll
| MD5 | 9b2bdf058d377da28704af9ca3ef1142 |
| SHA1 | 0fc0d7fbc4c3a65eec33d9577ed38e545b3cc04b |
| SHA256 | 92f34db47c34d6867e6928d4a9cd27747ff642392c0e361f9cab2f5d8c4df300 |
| SHA512 | ba0c2a312732832874642f6ca8d3b5aa4274da5cbb3a09d990b442becdf9a1abb98c61c5cbbb55f6a5341d2997388d01f93f69e4946e923a1892c7621775b93f |
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\divx-bundle-updater.ini
| MD5 | 7dd6ce8d313ef7f0673f5072d88650a4 |
| SHA1 | c2fcd1bf23addee746862e366e21a9d1f9dcc3c8 |
| SHA256 | b91daf80c850ad247207d7cf0a1a480327a3fa5c63d62a554e38e8e6914e63ab |
| SHA512 | 8b6b5527a331268821f343f7cdb74612203643af2745b2fd7338645b23ae33e92120320358d09a0d125ab99b98c4bebd48cc556cd77d39244cd407845968e1c2 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1932 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1932 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1932 wrote to memory of 2248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\installerVariables.js
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\network.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20241010-en
Max time kernel
12s
Max time network
19s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\setHomepage.js
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1616 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1616 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1616 wrote to memory of 1428 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 648
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\dialog.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\feedFunctions.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\network.js
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\setHomepage.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.30.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.30.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20241010-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\toolbarBuilder.js
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2304 wrote to memory of 1236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2304 wrote to memory of 1236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 244
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe
"C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe"
C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe
"C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe" /yallowjp /ytffver=1.4.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | versions.divx.com | udp |
| NL | 18.239.15.179:80 | versions.divx.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.15.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\System.dll
| MD5 | ed228603bf5d6ba382b59274dba35a0a |
| SHA1 | 037d40e0399902b5119d48995dfd2e96bc6de9a4 |
| SHA256 | a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37 |
| SHA512 | 9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9 |
C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\PCloser.dll
| MD5 | 472f68bb5ba2cc581a9dc320c864f84c |
| SHA1 | 245c09e194c6b4899314d9c6b041153b33f26ca7 |
| SHA256 | f4d0fe1ee43fed2df0fc1156f959b62d8963d63f11afd7cef801c62b617e9a84 |
| SHA512 | 7fc6c06fdf0e2aeffb0a2effd61839e6b3abe1dda808329bd59e5e72621f6c61bfd8d71f2b1c95f072626e0d2bfe0d8c60425096359f74e846950bc38a5fae9a |
memory/4228-26-0x00000000023B0000-0x00000000023C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe
| MD5 | d1b411fc28aa7839bb236febc0950c96 |
| SHA1 | 58c65d6501c16cb57cc7254d4292e6fd9deba2bb |
| SHA256 | d6088d64ea8d85e6439b0845b7ef1086403b3103f5a5e04e0d32a1f9f965b57b |
| SHA512 | be36614d0d07869bb94f3fe50454970ca7426fd19c6915687fd64a665bc84a015e745c4d7dcda0bf5bf3096820f9bd2a086ae313947bb064206f1a86f8fdf9ee |
C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe
| MD5 | 4926b97e0cfc4edbda0ef962624e27a6 |
| SHA1 | fdc9e0d5fd03f72dda1ac58cd7e4fb211e47317b |
| SHA256 | 12d70ee985fb5a7ea790d88ae3b5df3f5c1f39b54544c91ea715b0bb053dcd51 |
| SHA512 | acd29b3aa9e220d7d7f893c5c18b08a7517614b0a6228c0b44ebf31d3cfbf74b76894abb5a4cbbb3db540db3e1972eef8f4ba9b3b78f179ef6d6b18e64c4145d |
C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\ConnectionTester.dll
| MD5 | c0d23f9dd2f29b0ab20f2005b29b6a12 |
| SHA1 | 412b1ff53c9d5d390d344787541450e091ea502b |
| SHA256 | fcbf18736b567fff8839023bb1c3acb11a61ac58cee83e08cd40d333a1e13fe6 |
| SHA512 | 75986c332c97397dd2ac6905a5ed03cee2b92c187ba2600c4c5eadede3333e166c0e0f3fd9f2a4fe1a36319596d20d93a4371b751c20929cbffed8b54f613744 |
memory/4704-51-0x00000000026B0000-0x00000000026C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\System.dll
| MD5 | 6621d1f4e191c018a0d8abb5c610d1aa |
| SHA1 | c3af35a5df9361e2805bd84d3e3144e0b9c44d5b |
| SHA256 | d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5 |
| SHA512 | 6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5 |
C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\divx-bundle-updater.ini
| MD5 | 914aac8e4fbdd0d5b5ec73f20177ebc1 |
| SHA1 | 5a4113d646b81cd31d5b35dc8266c01a64024184 |
| SHA256 | c9d8b1082ed930cff4e2157b8ec75cb434a871ddbdb9364cb470c276991f4ff3 |
| SHA512 | 66ec3a0ac9f98cffbad65dbac087253d5096cfd917d0f636ef0be8d4ff0d3562c034dbe781f93eb4560100f9f4f8b99e3c2b35e0cc9678c54a9ac5dadded6e3a |
C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\InstallOptions.dll
| MD5 | 9b2bdf058d377da28704af9ca3ef1142 |
| SHA1 | 0fc0d7fbc4c3a65eec33d9577ed38e545b3cc04b |
| SHA256 | 92f34db47c34d6867e6928d4a9cd27747ff642392c0e361f9cab2f5d8c4df300 |
| SHA512 | ba0c2a312732832874642f6ca8d3b5aa4274da5cbb3a09d990b442becdf9a1abb98c61c5cbbb55f6a5341d2997388d01f93f69e4946e923a1892c7621775b93f |
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\fileio.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240708-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\globals.js
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-21 08:42
Reported
2024-10-21 08:45
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\history.js