Malware Analysis Report

2025-03-15 00:44

Sample ID 241024-1qcy8avemn
Target 73eb50d731889829becf58029a86eb45_JaffaCakes118
SHA256 a2d4cc146cb1b62a7d4128b0e277c7411921cf9f77cc7577599a00697f3492b1
Tags
upx mydoom discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2d4cc146cb1b62a7d4128b0e277c7411921cf9f77cc7577599a00697f3492b1

Threat Level: Known bad

The file 73eb50d731889829becf58029a86eb45_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx mydoom discovery persistence worm

Mydoom family

Detects MyDoom family

MyDoom

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-24 21:50

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A

Mydoom family

mydoom

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-24 21:50

Reported

2024-10-24 22:02

Platform

win11-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe"

Signatures

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MyDoom

worm mydoom

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\services.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UndoConfirm.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\8bec10b2b6a741eaab67d27c93a84f25 /t 1472 /p 1568

Network

Country Destination Domain Proto
US 15.139.236.61:1034 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
IN 4.240.75.125:1034 tcp
IN 4.240.75.254:1034 tcp
IN 4.240.78.119:1034 tcp
US 8.8.8.8:53 acm.org udp
BE 66.102.1.27:25 aspmx.l.google.com tcp
US 199.89.3.120:25 mail.mailroute.net tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 52.101.11.19:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 2.18.190.80:80 r11.o.lencr.org tcp
IM 81.88.166.9:1034 tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 36.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
SG 74.125.200.27:25 aspmx5.googlemail.com tcp
US 104.17.79.30:25 acm.org tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.227.224:25 burtleburtle.net tcp
US 204.13.239.180:25 alumni.caltech.edu tcp
US 85.187.148.2:25 mail.gzip.org tcp
US 15.198.4.192:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
FI 142.251.1.26:25 aspmx4.googlemail.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 52.101.194.5:25 outlook-com.olc.protection.outlook.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 85.187.148.2:25 mail.gzip.org tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 15.136.121.176:1034 tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
DE 142.251.9.27:25 aspmx3.googlemail.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 52.96.228.130:25 outlook.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 16.80.225.35:1034 tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 172.217.169.36:80 www.google.com tcp
GB 172.217.169.36:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp

Files

memory/2956-0-0x0000000000500000-0x0000000000510000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2456-5-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2956-13-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2456-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2456-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2456-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2456-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2456-28-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2456-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2456-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2956-39-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2456-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2956-44-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2456-45-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 2b6eacb14cfcdf8e8dcfda258dee8d26
SHA1 ac210774a723ead3041eb712fc71dfa4935648be
SHA256 249075696527417f7a60b6003dab1c7d904538c27f3b87d8f62df5a3f9df2e9b
SHA512 9b2bf2d583db3d92430aaff2dedd2211bfb6fd8b798cd5487fae8fcf30addc808caaf65c085d965876c0037c34a64db8d34ed6a08e07a9993895dd458adc1c49

C:\Users\Admin\AppData\Local\Temp\tmpB35F.tmp

MD5 8180865618aa06781f5ed6ff06c0f649
SHA1 2943c5d93f9ba7f0d8e8e3b2dd6a93c896a183ba
SHA256 15fb5abc3879cbad69a92a1daadd3338b1d2795014d134fd119adad81b22c7b0
SHA512 a23d3e87967aeb3fb63d8a2737dba40ef6266c4d5e90c7d437338b62616c41547a432120c879b36f018dd95f2524b3412252df208a73e85566f5961d6f95705c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQHBP8GN\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

memory/2956-138-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2456-139-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 ff5c5f06246977305c93d4d257fe77e4
SHA1 a12378a2257f76c57e5ce772ec8a0844a329dbf4
SHA256 db7e29ae8d73ebb121038b16e2fc9a126dffcc72e74c3661585dc3f9fa78fea5
SHA512 87a34a6ce0c2e479b91f6b0a6a833d0aeb00f96d1142f69bc414e7c118c1ade5381f9a26572783532b5a8f01c0f725f8b53b3bdc59b39a79ef732d7a0aa9931d

memory/2956-163-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2456-164-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2456-168-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2956-172-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2456-173-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 875c5d2fb8bf7a4414b975c49a53a913
SHA1 8b6f55213c4724f6c59ff6b4a8415ab7076c4fb7
SHA256 e5ada524bccfa91dd06f5513b3bc835ca6f0be5bc190d6ee6551a188937b6061
SHA512 5ff6ccda6b776ded49bbe65d4bfc773a120531330b367f53ae555f671f157f602b8a36fbbfca3ff98f5fe6305de3b17958173d58e70c68cf6da33f459bbe32e5

memory/2956-200-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2456-201-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KN6FN23Q\default[5].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

memory/2956-239-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2456-240-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KN6FN23Q\default[6].htm

MD5 14b82aec966e8e370a28053db081f4e9
SHA1 a0f30ebbdb4c69947d3bd41fa63ec4929dddd649
SHA256 202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf
SHA512 ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-24 21:50

Reported

2024-10-24 22:00

Platform

win11-20241007-en

Max time kernel

52s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\out.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\out.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5160 -ip 5160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 236

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\StopUnpublish.dotm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp

Files

memory/4052-0-0x00007FFAC1ED0000-0x00007FFAC1EE0000-memory.dmp

memory/4052-3-0x00007FFB01EE3000-0x00007FFB01EE4000-memory.dmp

memory/4052-2-0x00007FFAC1ED0000-0x00007FFAC1EE0000-memory.dmp

memory/4052-9-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-12-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-11-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-15-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-16-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-17-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-18-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-21-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-22-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-20-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-19-0x00007FFABF8F0000-0x00007FFABF900000-memory.dmp

memory/4052-14-0x00007FFABF8F0000-0x00007FFABF900000-memory.dmp

memory/4052-13-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-10-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-8-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-7-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-6-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp

memory/4052-5-0x00007FFAC1ED0000-0x00007FFAC1EE0000-memory.dmp

memory/4052-4-0x00007FFAC1ED0000-0x00007FFAC1EE0000-memory.dmp

memory/4052-1-0x00007FFAC1ED0000-0x00007FFAC1EE0000-memory.dmp

memory/4052-30-0x00007FFB01E40000-0x00007FFB02049000-memory.dmp