Malware Analysis Report

2025-03-14 21:53

Sample ID 250123-gqxh3sxkdr
Target JaffaCakes118_145356f559186ff2bb984ca4a53c91d9
SHA256 48c90e9bf2a1bc222607ca074a001e616ec79bbf4c912472ab615000bb7d49d5
Tags
discovery google defense_evasion phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48c90e9bf2a1bc222607ca074a001e616ec79bbf4c912472ab615000bb7d49d5

Threat Level: Known bad

The file JaffaCakes118_145356f559186ff2bb984ca4a53c91d9 was found to be: Known bad.

Malicious Activity Summary

discovery google defense_evasion phishing

Modifies firewall policy service

Detected google phishing page

Deletes itself

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-23 06:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-23 06:01

Reported

2025-01-23 06:03

Platform

win7-20240903-en

Max time kernel

38s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Crack.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Google Earth Pro\base.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\kh20 C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\measure.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\gps.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\common.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\common.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\measure.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\gps.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\evll.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\evll.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kh20 C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\base.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Crack.exe"

Network

N/A

Files

memory/2172-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2172-21-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-23 06:01

Reported

2025-01-23 06:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Crack.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\evll.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kh20 C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\common.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\evll.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\base.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\measure.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\common.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\kh20 C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\measure.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\gps.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\gps.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\base.dll C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Crack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Crack.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 113.168.16.2.in-addr.arpa udp
US 8.8.8.8:53 102.168.16.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/1448-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1448-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1448-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1448-21-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-23 06:01

Reported

2025-01-23 06:03

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe"

Signatures

Detected google phishing page

phishing google

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G-PROS~1.exe:*:Enabled:MSWin64" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G-PROS~1.exe:*:Enabled:MSWin64" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2292 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1504 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1504 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1504 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1504 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2132 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2132 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe

"C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\melt1.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 payday4sonpink.googlepages.com udp
GB 142.250.200.19:80 payday4sonpink.googlepages.com tcp
US 8.8.8.8:53 sites.google.com udp
GB 216.58.201.110:80 sites.google.com tcp
GB 216.58.201.110:443 sites.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.16.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.16.227:80 o.pki.goog tcp
US 8.8.8.8:53 accounts.google.com udp
BE 142.251.173.84:443 accounts.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
FR 2.22.255.150:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
RO 2.20.118.102:80 www.microsoft.com tcp

Files

C:\melt1.bat

MD5 8ad140e276ec17b7af7975b66895c7a3
SHA1 bcaf06d1a250a63f05dceb9055e44b91fc7e9484
SHA256 4fb851ce6fa12ee0e53bf03b4408fcd1930d0a21858909913a2e8a34323569d3
SHA512 5f0ebedd47f8ac4eb3b5d813864151e9fb0041752b25fe0cf49a40b069b0dd1be28592bdbddb9fd0c07f15cdaabceb7d3e3491b92e0abdc6fe5133cb93db5dad

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-23 06:01

Reported

2025-01-23 06:03

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe"

Signatures

Detected google phishing page

phishing google

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G-PROS~1.exe:*:Enabled:MSWin64" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G-PROS~1.exe:*:Enabled:MSWin64" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2208 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1356 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1356 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1356 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3232 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4672 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4672 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3232 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe

"C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\G-PROS~1.exe:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\melt1.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 payday4sonpink.googlepages.com udp
GB 142.250.200.19:80 payday4sonpink.googlepages.com tcp
US 8.8.8.8:53 sites.google.com udp
GB 216.58.201.110:80 sites.google.com tcp
GB 216.58.201.110:443 sites.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.16.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.16.227:80 o.pki.goog tcp
US 8.8.8.8:53 19.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
BE 142.251.173.84:443 accounts.google.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.17.2.in-addr.arpa udp
US 8.8.8.8:53 84.173.251.142.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 102.168.16.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Setup_ver1.1433.01.exe

MD5 217766f4ff9d340b04840cb780f87ce1
SHA1 fb1b66e3f68b8143b7b32abe8c5cafbb7211ffb5
SHA256 89da4287a332f7a9472cbcfa96627804387dd84da47b01e22409d9053b57f5b4
SHA512 acdcc6fb370af090a908c24fb277e332a0ea7467ca67efd9df5d17572319b587b720a8bcc13b02fbf08b461547d4d6b55e9d37a24b00f0f1f13b8712e82d2868

C:\Users\Admin\AppData\Local\Temp\akkarik1.exe

MD5 aaf685f34eefe6b4128865037fad20df
SHA1 4be1cecb7fee43dc5fd92af36923202b28882ad8
SHA256 3e75f14c7be25c7cd6cedccbf39ffea8fbe477f63d740a6e47a179d4ae1ffbe3
SHA512 66d6340546201fe1a057da9ead756178b75961d8adad20f58540943c0a8b85408b796e5e73c469f3560414ab747fbbad353a7409047307fb0b096d01817e5193

C:\melt1.bat

MD5 8ad140e276ec17b7af7975b66895c7a3
SHA1 bcaf06d1a250a63f05dceb9055e44b91fc7e9484
SHA256 4fb851ce6fa12ee0e53bf03b4408fcd1930d0a21858909913a2e8a34323569d3
SHA512 5f0ebedd47f8ac4eb3b5d813864151e9fb0041752b25fe0cf49a40b069b0dd1be28592bdbddb9fd0c07f15cdaabceb7d3e3491b92e0abdc6fe5133cb93db5dad