Analysis Overview
SHA256
48c90e9bf2a1bc222607ca074a001e616ec79bbf4c912472ab615000bb7d49d5
Threat Level: Known bad
The file JaffaCakes118_145356f559186ff2bb984ca4a53c91d9 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Detected google phishing page
Deletes itself
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-23 06:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-23 06:01
Reported
2025-01-23 06:03
Platform
win7-20240903-en
Max time kernel
38s
Max time network
17s
Command Line
Signatures
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\base.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\kh20 | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\measure.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\gps.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\common.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\common.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\measure.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\gps.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\evll.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\evll.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\kh20 | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\base.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Crack.exe"
Network
Files
memory/2172-4-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2172-5-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2172-6-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2172-21-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-23 06:01
Reported
2025-01-23 06:03
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\evll.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\kh20 | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\common.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\evll.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\base.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\measure.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\common.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\kh20 | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\measure.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File created | C:\Program Files (x86)\Google\Google Earth Pro\gps.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\gps.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Google Earth Pro\base.dll | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Crack.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Crack.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.168.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.168.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/1448-4-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1448-5-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1448-6-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1448-21-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-23 06:01
Reported
2025-01-23 06:03
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Detected google phishing page
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G-PROS~1.exe:*:Enabled:MSWin64" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G-PROS~1.exe:*:Enabled:MSWin64" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | sites.google.com | N/A | N/A |
| N/A | sites.google.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe
"C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\melt1.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | payday4sonpink.googlepages.com | udp |
| GB | 142.250.200.19:80 | payday4sonpink.googlepages.com | tcp |
| US | 8.8.8.8:53 | sites.google.com | udp |
| GB | 216.58.201.110:80 | sites.google.com | tcp |
| GB | 216.58.201.110:443 | sites.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.16.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.16.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| BE | 142.251.173.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| FR | 2.22.255.150:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| RO | 2.20.118.102:80 | www.microsoft.com | tcp |
Files
C:\melt1.bat
| MD5 | 8ad140e276ec17b7af7975b66895c7a3 |
| SHA1 | bcaf06d1a250a63f05dceb9055e44b91fc7e9484 |
| SHA256 | 4fb851ce6fa12ee0e53bf03b4408fcd1930d0a21858909913a2e8a34323569d3 |
| SHA512 | 5f0ebedd47f8ac4eb3b5d813864151e9fb0041752b25fe0cf49a40b069b0dd1be28592bdbddb9fd0c07f15cdaabceb7d3e3491b92e0abdc6fe5133cb93db5dad |
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-23 06:01
Reported
2025-01-23 06:03
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
138s
Command Line
Signatures
Detected google phishing page
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G-PROS~1.exe:*:Enabled:MSWin64" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G-PROS~1.exe:*:Enabled:MSWin64" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | sites.google.com | N/A | N/A |
| N/A | sites.google.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe
"C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\melt1.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | payday4sonpink.googlepages.com | udp |
| GB | 142.250.200.19:80 | payday4sonpink.googlepages.com | tcp |
| US | 8.8.8.8:53 | sites.google.com | udp |
| GB | 216.58.201.110:80 | sites.google.com | tcp |
| GB | 216.58.201.110:443 | sites.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.16.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.16.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 19.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| BE | 142.251.173.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.173.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.168.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup_ver1.1433.01.exe
| MD5 | 217766f4ff9d340b04840cb780f87ce1 |
| SHA1 | fb1b66e3f68b8143b7b32abe8c5cafbb7211ffb5 |
| SHA256 | 89da4287a332f7a9472cbcfa96627804387dd84da47b01e22409d9053b57f5b4 |
| SHA512 | acdcc6fb370af090a908c24fb277e332a0ea7467ca67efd9df5d17572319b587b720a8bcc13b02fbf08b461547d4d6b55e9d37a24b00f0f1f13b8712e82d2868 |
C:\Users\Admin\AppData\Local\Temp\akkarik1.exe
| MD5 | aaf685f34eefe6b4128865037fad20df |
| SHA1 | 4be1cecb7fee43dc5fd92af36923202b28882ad8 |
| SHA256 | 3e75f14c7be25c7cd6cedccbf39ffea8fbe477f63d740a6e47a179d4ae1ffbe3 |
| SHA512 | 66d6340546201fe1a057da9ead756178b75961d8adad20f58540943c0a8b85408b796e5e73c469f3560414ab747fbbad353a7409047307fb0b096d01817e5193 |
C:\melt1.bat
| MD5 | 8ad140e276ec17b7af7975b66895c7a3 |
| SHA1 | bcaf06d1a250a63f05dceb9055e44b91fc7e9484 |
| SHA256 | 4fb851ce6fa12ee0e53bf03b4408fcd1930d0a21858909913a2e8a34323569d3 |
| SHA512 | 5f0ebedd47f8ac4eb3b5d813864151e9fb0041752b25fe0cf49a40b069b0dd1be28592bdbddb9fd0c07f15cdaabceb7d3e3491b92e0abdc6fe5133cb93db5dad |