Analysis Overview
SHA256
1001065dcc00ff8d14c2166940a2936b1ff78c3cffa17eb75b502a2a9a932a2c
Threat Level: Known bad
The file d604a165826a3df124f663479b0607b5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
Darkcomet family
Darkcomet
ISR Stealer payload
Modifies WinLogon for persistence
Latentbot family
LatentBot
Isrstealer family
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-08 07:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-08 07:57
Reported
2024-12-08 08:00
Platform
win7-20240903-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Darkcomet
Darkcomet family
LatentBot
Latentbot family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe" | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoffpdate = "C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe" | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoffpdate = "C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe" | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2868 set thread context of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | C:\Users\Admin\AppData\Local\Temp\out.exe |
| PID 2204 set thread context of 1172 | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | C:\Users\Admin\AppData\Roaming\java\jar.exe |
| PID 2984 set thread context of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe |
| PID 3028 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\out.exe
"C:\Users\Admin\AppData\Local\Temp\out.exe"
C:\Users\Admin\AppData\Local\Temp\out.exe
"C:\Users\Admin\AppData\Local\Temp\out.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Users\Admin\AppData\Roaming\java\jar.exe
"C:\Users\Admin\AppData\Roaming\java\jar.exe"
C:\Users\Admin\AppData\Roaming\java\jar.exe
"C:\Users\Admin\AppData\Roaming\java\jar.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\TncEnqc0PV.ini"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkVhrbN.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | mobclub.info | udp |
Files
\Users\Admin\AppData\Local\Temp\out.exe
| MD5 | 1075f5bdeae2dae8ed0be96c0772cbde |
| SHA1 | 05e761c27139288d04cbf222c6d711fa8b907e75 |
| SHA256 | 42f3493aa0a0a755f92f7773838ddf19d9f7f93ac64eaf2e85f7ea36e16e14ed |
| SHA512 | 267bae9e05e32c1be45f688ade0d2beb895f415bf156927fc42aaee7f51a5fb4ef8c815f9153c7bd46f38329338b1e6f790f5e7c6775a7a88a3399b09d04ca05 |
memory/2984-5-0x0000000003840000-0x00000000038A0000-memory.dmp
memory/2868-14-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2868-20-0x00000000004A0000-0x0000000000500000-memory.dmp
memory/2332-17-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2332-21-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2332-19-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2332-22-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2868-24-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2332-25-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2332-26-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2332-27-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2772-45-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2772-46-0x00000000003E0000-0x0000000000410000-memory.dmp
memory/2772-30-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2332-56-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2204-60-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2772-62-0x00000000003E0000-0x0000000000410000-memory.dmp
memory/2204-67-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1172-68-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/1172-69-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2920-117-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GkVhrbN.bat
| MD5 | f6fa97ac595aab50b7ffb2d6592865fb |
| SHA1 | 76530c92e501d4619cceee8901a23862fc4638d9 |
| SHA256 | 98036dba5197d400c3d31412523c877bda50ebd0e9212275100b3ea6cef55570 |
| SHA512 | b421a379a14c90cb59cb6e3ad10d507496d86cc227af0ce574bdd18891e4adedb187c3c91435d5c61f25d40a2b5772b46a93ec105deaffec3b00b30a9a3d4248 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | d604a165826a3df124f663479b0607b5 |
| SHA1 | f3afcb70f500c2dcdb2fc0edd6869c31b43dc792 |
| SHA256 | 1001065dcc00ff8d14c2166940a2936b1ff78c3cffa17eb75b502a2a9a932a2c |
| SHA512 | 00f0c02b13fd7806cd8664b5278b3a21785f8dd8871655d7af24794c46a0c39514648d25f33d1b33b7967dd3bec0882051205d26decc12a10f2a6a54589a9ebf |
memory/2920-135-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1172-137-0x0000000000400000-0x00000000004BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TncEnqc0PV.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-08 07:57
Reported
2024-12-08 08:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Darkcomet
Darkcomet family
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Isrstealer family
LatentBot
Latentbot family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe" | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IgfxTray = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoffpdate = "C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe" | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoffpdate = "C:\\Users\\Admin\\AppData\\Roaming\\java\\jar.exe" | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3180 set thread context of 4104 | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | C:\Users\Admin\AppData\Local\Temp\out.exe |
| PID 932 set thread context of 4844 | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | C:\Users\Admin\AppData\Roaming\java\jar.exe |
| PID 3156 set thread context of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe |
| PID 2136 set thread context of 4576 | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\out.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\java\jar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\out.exe
"C:\Users\Admin\AppData\Local\Temp\out.exe"
C:\Users\Admin\AppData\Local\Temp\out.exe
"C:\Users\Admin\AppData\Local\Temp\out.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Users\Admin\AppData\Roaming\java\jar.exe
"C:\Users\Admin\AppData\Roaming\java\jar.exe"
C:\Users\Admin\AppData\Roaming\java\jar.exe
"C:\Users\Admin\AppData\Roaming\java\jar.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\d604a165826a3df124f663479b0607b5_JaffaCakes118.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\wFc7VddpIi.ini"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkVhrbN.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | mobclub.info | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | olympic2012.zapto.org | udp |
| US | 8.8.8.8:53 | euro2012.zapto.org | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\out.exe
| MD5 | 1075f5bdeae2dae8ed0be96c0772cbde |
| SHA1 | 05e761c27139288d04cbf222c6d711fa8b907e75 |
| SHA256 | 42f3493aa0a0a755f92f7773838ddf19d9f7f93ac64eaf2e85f7ea36e16e14ed |
| SHA512 | 267bae9e05e32c1be45f688ade0d2beb895f415bf156927fc42aaee7f51a5fb4ef8c815f9153c7bd46f38329338b1e6f790f5e7c6775a7a88a3399b09d04ca05 |
memory/3180-10-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4104-13-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4104-16-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/3180-18-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4104-19-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4104-20-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4104-21-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4104-22-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4140-25-0x0000000000760000-0x0000000000761000-memory.dmp
memory/4104-57-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/932-59-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4844-67-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-66-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-68-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/932-70-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4844-71-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-74-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-73-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/3560-72-0x00000000013F0000-0x00000000013F1000-memory.dmp
memory/2136-75-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2136-76-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4576-79-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4576-80-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4576-81-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4576-84-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GkVhrbN.bat
| MD5 | f6fa97ac595aab50b7ffb2d6592865fb |
| SHA1 | 76530c92e501d4619cceee8901a23862fc4638d9 |
| SHA256 | 98036dba5197d400c3d31412523c877bda50ebd0e9212275100b3ea6cef55570 |
| SHA512 | b421a379a14c90cb59cb6e3ad10d507496d86cc227af0ce574bdd18891e4adedb187c3c91435d5c61f25d40a2b5772b46a93ec105deaffec3b00b30a9a3d4248 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | d604a165826a3df124f663479b0607b5 |
| SHA1 | f3afcb70f500c2dcdb2fc0edd6869c31b43dc792 |
| SHA256 | 1001065dcc00ff8d14c2166940a2936b1ff78c3cffa17eb75b502a2a9a932a2c |
| SHA512 | 00f0c02b13fd7806cd8664b5278b3a21785f8dd8871655d7af24794c46a0c39514648d25f33d1b33b7967dd3bec0882051205d26decc12a10f2a6a54589a9ebf |
C:\Users\Admin\AppData\Local\Temp\wFc7VddpIi.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/2136-93-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4844-95-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-96-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-97-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-98-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-99-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-100-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-101-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-102-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-103-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-104-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-105-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/4844-106-0x0000000000400000-0x00000000004BA000-memory.dmp