Malware Analysis Report

2025-04-14 05:10

Sample ID 250108-e2erastpct
Target JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33
SHA256 179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff
Tags
revengerat guest discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff

Threat Level: Known bad

The file JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33 was found to be: Known bad.

Malicious Activity Summary

revengerat guest discovery stealer trojan

RevengeRAT

Revengerat family

RevengeRat Executable

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-08 04:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-08 04:25

Reported

2025-01-08 04:28

Platform

win7-20240903-en

Max time kernel

130s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Roaming\Client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Roaming\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2424 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2424 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2424 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1044 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1044 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1044 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1044 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2424 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2424 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2424 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2424 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2504 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2504 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2504 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2504 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2804 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2804 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2804 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2804 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82F5.tmp" "c:\Users\Admin\AppData\Local\Temp\vud2qqg1\CSC5BAE06D982334539909D7126512F4B.TMP"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yo0qydhh\yo0qydhh.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD78.tmp" "c:\Users\Admin\AppData\Local\Temp\yo0qydhh\CSCF54445C53AD2468ABC69CD489B88E93.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dnstext.publicvm.com udp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
US 8.8.8.8:53 dnstext.publicvm.com udp
SG 139.99.66.103:112 dnstext.publicvm.com tcp

Files

memory/2424-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

memory/2424-1-0x0000000000260000-0x000000000029E000-memory.dmp

memory/2424-6-0x0000000074AB0000-0x000000007519E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.cmdline

MD5 63487b619e12eff19ef3756a02751f4f
SHA1 e2164c55163d60b51b908f52af8828851c957a74
SHA256 0576bf1c3d1d2599ca51bcac0779dcb0f866e5888bf30f7007bf1579303ccabe
SHA512 818c1ce7ad6c196f888b5d89eb8893a2d29f5e377a7f4b47230a3caab04789967404461de7c9468811e133997ece8272ebd0bad4dad1a285dd776a0a89ca6099

\??\c:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.0.cs

MD5 4949667438d5392543cfdd46006a2f06
SHA1 7ad3f3b16fce93fd4e56f24f13610e9761a48eb0
SHA256 03626e616391cac1bf69f60da6dd99ec1ee697a58e428ab69d27a22afad62ea3
SHA512 0967e449f9f2c4015d8da02b7b6aadfe7f6af9ea2140c4c3f6f3efaa7d5cfb449bce819e41093727a90743c1a8d7d6b3c67f30ecc3aa9a28fb02d3dd34c08c68

\??\c:\Users\Admin\AppData\Local\Temp\vud2qqg1\CSC5BAE06D982334539909D7126512F4B.TMP

MD5 f54c45b1f1fcc6054acfacc348210820
SHA1 b8565e32e367c2b517885f36812452a76087ce43
SHA256 e6b311f892c1f764760ab5e742d0ae29eb627cdca423222c7d22841840b96072
SHA512 0efda4455fc9f88f81b3689061b3ade7a2b0580c5182a8554904047f3340e69f555516b276b17138a1fa6ccd5c0ef1f810f4e57ebed9c6b182328a2e7b07fc8b

C:\Users\Admin\AppData\Local\Temp\RES82F5.tmp

MD5 6c79361beee269b948df06659619748e
SHA1 fc296a7439f7bd1e2dc3b34e69ed897520804e4c
SHA256 f05d71abc708557d57cc5bcd6da98a246b624c0ac9e7f841acf82797ece08049
SHA512 ea47a7bb2c1f3a330ff0c3d2361f4f5c61d0a93ebad43187054fe50f56c36c09ab44443f7f8d84c7bca89e447a6bd0310abde73f1b0ec32f1641e56a898df897

C:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.pdb

MD5 b72c1af173319f8b2471bec3567423d0
SHA1 8dc8adeb512d7489e98005af26ae77ce12fcf8ab
SHA256 65b12bc92e3490b2f29c951170f897df73c1eea2e7f06181c9c4849622bc9498
SHA512 6a8b81288ea55236e53bdbd06815ce4e5fe367b0c8311945054b66ee86be07b4ab56696a0cd2aa07104abd2139fde00a9fdd779ebf7f3aeefb12ade013cc0159

C:\Users\Admin\AppData\Local\Temp\vud2qqg1\vud2qqg1.dll

MD5 fa4c8929e0ea4de58735cd66b3bd2241
SHA1 38aa83ba17876f973771f34452109f219c7614fa
SHA256 69ee3003cf758fbe5409837e5ca910aa6755ae2cb37a9925b4606d36a2f4cc91
SHA512 b9474eface066b7a6312282d91a32e4efeb6ceb449b0b13dae7e77d6c7a9799b9ec32b01532bf957070fb0c2f40d989037c68ccd49894e2441c884f9f9c05552

memory/2424-17-0x0000000000420000-0x0000000000428000-memory.dmp

memory/2424-19-0x0000000000450000-0x0000000000464000-memory.dmp

memory/2424-20-0x0000000000460000-0x000000000046C000-memory.dmp

memory/2424-21-0x0000000001D50000-0x0000000001D58000-memory.dmp

memory/2424-22-0x0000000074AB0000-0x000000007519E000-memory.dmp

\Users\Admin\AppData\Roaming\Client.exe

MD5 8b1eff957cbbabe0de8eadb89c03bd33
SHA1 2ec99b5ee61b9c2ef59a140feabcc2e3dd8d10f7
SHA256 179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff
SHA512 ff5289179084d146cd0b99c04942ffe10d8d44daca33244b3b0aecc216e0e3dfa78f9abc52d1c50e357d65afaa35fe7162bbce218587e9dbac855ab5c8d3fc54

memory/2504-30-0x0000000000C50000-0x0000000000C8E000-memory.dmp

memory/2424-34-0x0000000074AB0000-0x000000007519E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\yo0qydhh\yo0qydhh.cmdline

MD5 1caa4e385f067c2ccfde207fc736eb74
SHA1 36f198dd2a1ac85cef9e9d9b5d5dd50bf7a328f5
SHA256 71c9a1c1206f38d5efa01d3ca3064b8f6497f40e8791382b86468b130a2df014
SHA512 931027ce38579567b897a63e115ef680bba2c5ae360440f00ee1aa28b791b5dbc3b60936d3528eb7211b5d46eed5f1644c3a82590b3597bed849263d6d8786cd

\??\c:\Users\Admin\AppData\Local\Temp\yo0qydhh\CSCF54445C53AD2468ABC69CD489B88E93.TMP

MD5 22a03ae654a8377470a54f83fd188872
SHA1 bb7509135d3d8d356522ba10db4e5ef191df3888
SHA256 c3f06ba9a8c58c5ff7230a703c9a99a9a5587915b2c70cd1a6b66f0146fda77a
SHA512 07145ae2cddc3678974c3bca2899b71a1000aa28824b16c0b758556d5dc2767359ed5c720c449b5ab2f2675f65283934db45aea33501cf2fb538a600032d02ef

C:\Users\Admin\AppData\Local\Temp\yo0qydhh\yo0qydhh.pdb

MD5 39350d1b7237b985ae79b03398d4811a
SHA1 19ec5336bfe37d76d6fd2652d8420025acebedb2
SHA256 64c3f2d956b9cf1d2565bf1c87db26fb06fba8e2bf2f4eb52338dd36fa50b27b
SHA512 f0e3871dcedfcadad690617c6c99422693eeca8eb5b36999c1a6ed72d2d04e2f919d81ac90cf2e462d77edc6fc41eddcb2f597bae07c10f6b3c57d1b66f9cff9

memory/2504-46-0x0000000000200000-0x0000000000208000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yo0qydhh\yo0qydhh.dll

MD5 e8322c582f0585cfdd9fcb9ccf5f67ca
SHA1 d079e9079af4553bb9b0ace0fc9b7d06abb0803b
SHA256 303bcab9f25a15af75fe180e284a11aa9814a036e1ae2acb95ca7b6c40b22830
SHA512 0af13bbc4600c42468ea03045bb88765e357e32068e52bb1b7df3bb2dfb5468232ce872386dd574ffbcb540598fb58602eeeb93b377adf95978f534b65f42076

C:\Users\Admin\AppData\Local\Temp\RESD78.tmp

MD5 63adceaefef2190cef68994010cc5f5a
SHA1 197a00b9978af1dfc49821afcb700f220c2ba180
SHA256 6ac7de0b025d3a9c36f85a28b9f5eb14ddface161efb9eed55db7951afa6f59c
SHA512 0ab5f8791c9c164ef42ed82d0efaa87b9e50c30f9e464099da393da4f2c0305e0430a370f24da12f6f0f71dda6ebcc440ee0e84ba30cabcd1afb8e24cd3cbf9b

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-08 04:25

Reported

2025-01-08 04:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Roaming\Client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Roaming\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2276 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2276 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 976 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 976 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 976 wrote to memory of 1544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2276 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2276 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 2276 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe C:\Users\Admin\AppData\Roaming\Client.exe
PID 4024 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4024 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4024 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\Client.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5100 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 5100 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 5100 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7705.tmp" "c:\Users\Admin\AppData\Local\Temp\4cc05qsb\CSCDB9CC01771BB43749581319582BC317C.TMP"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ei4lutjr\ei4lutjr.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72F.tmp" "c:\Users\Admin\AppData\Local\Temp\ei4lutjr\CSC6F4C49CEB084A1FA836CC283B84C3A.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 dnstext.publicvm.com udp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
US 8.8.8.8:53 dnstext.publicvm.com udp
SG 139.99.66.103:112 dnstext.publicvm.com tcp
US 8.8.8.8:53 udp

Files

memory/2276-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

memory/2276-1-0x0000000000FB0000-0x0000000000FEE000-memory.dmp

memory/2276-5-0x0000000074E90000-0x0000000075640000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.cmdline

MD5 495443d56147d70a3f4b5c61a05d3b39
SHA1 2433809c5d5e987e9d7c9cf1f81e50c6aa7e3f8b
SHA256 b4e31977af1d11f37795dde49e535eb0a878924ef68af68c433a1d6f00a90d3e
SHA512 f4b20a230d500373f89269c755d43bea24ada95ca8033e4523280778ff7fdf307d6d381218568ea65b87f36bfe29fd180112e24a2d9b65e05f7f63db5a4de75c

\??\c:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.0.cs

MD5 4949667438d5392543cfdd46006a2f06
SHA1 7ad3f3b16fce93fd4e56f24f13610e9761a48eb0
SHA256 03626e616391cac1bf69f60da6dd99ec1ee697a58e428ab69d27a22afad62ea3
SHA512 0967e449f9f2c4015d8da02b7b6aadfe7f6af9ea2140c4c3f6f3efaa7d5cfb449bce819e41093727a90743c1a8d7d6b3c67f30ecc3aa9a28fb02d3dd34c08c68

\??\c:\Users\Admin\AppData\Local\Temp\4cc05qsb\CSCDB9CC01771BB43749581319582BC317C.TMP

MD5 6a10d83d3b10587686446c76ef85202b
SHA1 27fdee6f4dc328320fe79be72a097a0773267b8e
SHA256 716f6f7f5c13fbb161698437681a7b4702822f431376a275a2cee0ae3cb95633
SHA512 bcf11a5613c2eaf89567ca449cbf8502cc41eed087aee98c24fe9be21ea751babf6a394bf8f4ddec2d2305bd16d4bf39b28cb38380c4b80f0d7969d4b2d50f6f

C:\Users\Admin\AppData\Local\Temp\RES7705.tmp

MD5 8ea9b700c6cd34c0791e222c75caa073
SHA1 3ae5c5fb0c57472d2a04274ea316df81ffef2bbd
SHA256 062d11aabfdbd1fc117c6d485d245a24459b8e8a0089834ea942e37ab8372efb
SHA512 857bc877d64d0797f1fab282dd9ce71bd1406db8d2a780791222c73c08d5e30449982825b5539f0ec96e7e2825834ef5fda2cbab9f2628ccbecb8c93587be036

memory/2276-17-0x0000000001A80000-0x0000000001A88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.dll

MD5 7e8ed8ff75b1b205df3947f825184543
SHA1 9790bd6538652be3bba039e6e7be0ffd1e96fe34
SHA256 f69fde4b8ad4e95f4cb2b823b916bbe25c2a705bbcd45105ecb712d30fda2c4f
SHA512 56690ee15a4f38828baa2162c2d1c1f93fb6751b3abaec5557ec9ade2848044d06ffe05f0535c671863bbbc9570575d3d660e355f8ebdeaec543336e9def5dea

C:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.pdb

MD5 c5ce755b0df3669fdd94bc15d9b28110
SHA1 13813dde1113df04196178f8994d0fb2b4f05835
SHA256 a153665b1e92ec96e074f7bf2af7f52eb631c2d8ecc37178bf12805a7e7a352c
SHA512 750cc52c08b3833d704766afd71d9df868a50e3a372574e898fa00666ba632eddcc3600bfbffeb364c1e23f8e862057685b0f6b161b8451b80a919d424394f24

memory/2276-19-0x00000000058B0000-0x0000000005942000-memory.dmp

memory/2276-21-0x0000000005A50000-0x0000000005A5C000-memory.dmp

memory/2276-20-0x0000000005880000-0x0000000005894000-memory.dmp

memory/2276-22-0x0000000005A70000-0x0000000005A78000-memory.dmp

memory/2276-23-0x0000000005D40000-0x0000000005DDC000-memory.dmp

memory/2276-24-0x0000000006490000-0x0000000006A34000-memory.dmp

memory/2276-25-0x0000000005F50000-0x0000000005FB6000-memory.dmp

memory/2276-26-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

memory/2276-27-0x0000000074E90000-0x0000000075640000-memory.dmp

C:\Users\Admin\AppData\Roaming\Client.exe

MD5 8b1eff957cbbabe0de8eadb89c03bd33
SHA1 2ec99b5ee61b9c2ef59a140feabcc2e3dd8d10f7
SHA256 179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff
SHA512 ff5289179084d146cd0b99c04942ffe10d8d44daca33244b3b0aecc216e0e3dfa78f9abc52d1c50e357d65afaa35fe7162bbce218587e9dbac855ab5c8d3fc54

memory/2276-43-0x0000000074E90000-0x0000000075640000-memory.dmp

memory/4024-45-0x0000000074E90000-0x0000000075640000-memory.dmp

memory/4024-44-0x0000000074E90000-0x0000000075640000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ei4lutjr\ei4lutjr.cmdline

MD5 48ddc90704e90f0a4335ca4693c5ea53
SHA1 719945213c449093f0cabdc21379046e7de2e1fd
SHA256 0875cf74956c90631a4347cab09c4cedbc7f3982cd390d13f1d1d50ff7facbe7
SHA512 d4964e467c6ba192885a80ef412ad81b1ad0e2cdc69a81f0047e458e616d9f7028e164c909844bc939f748df3ad898ab5e262a7fdd33ea94c845a9a247594027

\??\c:\Users\Admin\AppData\Local\Temp\ei4lutjr\CSC6F4C49CEB084A1FA836CC283B84C3A.TMP

MD5 2e6cfedde23ff0433223bd990baaf3b6
SHA1 a4c31934161499ee6425c528124b85d26058fe02
SHA256 62d017e4e15b58ce6752f1b6ef831ddc25b0210c1b0c6614e41814aac0f3ae21
SHA512 7cdd1c52d79c0008d74dc739760c3f98b314a81e8c380092f2154a338d4687dbfa2fd47619eac7b3bba11e82bd07ada6c5b7141d7c1bb69293711f0dbbb5fad9

C:\Users\Admin\AppData\Local\Temp\RES72F.tmp

MD5 2ad83426add832240a871352c7611148
SHA1 2d3b1a4d314a90494b19e0729d39a94ba871899c
SHA256 3f4fea4fb07ec56dd35def50d07fdcd7653ef3aab5e377491a456efb052a11ff
SHA512 32179e02e87b450d6babed0bb2964ff2043ecbdf1c5ff8b5141f2a815745fab861d690c787c60b1e3fa300ef30d6505750cb9cb48463090697b9188795213d80

memory/4024-57-0x0000000002390000-0x0000000002398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ei4lutjr\ei4lutjr.pdb

MD5 f57589eaaf644bf0843292ff6af07ac1
SHA1 43586aff971c90ce0abb9e043d8a8e3d3bb12d9c
SHA256 ddc6e27823c6afe4e4836e6e857e0dee221cf9f806c9b0715e5c2457925a6ada
SHA512 2b7a7c71766572263f2060dc77b2c7629eea6b73dba059dbb000db06690333cbd76810e60f2169c738260c2e8fe92942bc2c47353294395e945e4e613f757b0f

C:\Users\Admin\AppData\Local\Temp\ei4lutjr\ei4lutjr.dll

MD5 491f42bbb112313b7bfa7c26a955d4bf
SHA1 d6e030bfbf5757e0ec3c150c6542ed2acf5ea44a
SHA256 108c698c49eae97a83d006d8a83731736fbeda040e17cc60814d8d56d0d5ff7f
SHA512 590ee49226c20802f8ba2004d7f7d5abb54e64a2f99e5b84b9828145cbed95c567d4d042b4beb7f6f54d3261f5a4e625767f5b6c4dc57bb8637c8915cce68102

memory/4024-59-0x00000000049B0000-0x00000000049C4000-memory.dmp

memory/4024-60-0x0000000074E90000-0x0000000075640000-memory.dmp