Malware Analysis Report

2025-04-03 10:20

Sample ID 250311-b9t96swnw3
Target JaffaCakes118_6289ddda52a8013dc46bf768e7dbc2b7
SHA256 86b7a285f8bea6cb34c84d34cb40c6e180acdaacb494dbf9f9786d739fb9d697
Tags
latentbot defense_evasion discovery persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86b7a285f8bea6cb34c84d34cb40c6e180acdaacb494dbf9f9786d739fb9d697

Threat Level: Known bad

The file JaffaCakes118_6289ddda52a8013dc46bf768e7dbc2b7 was found to be: Known bad.

Malicious Activity Summary

latentbot defense_evasion discovery persistence privilege_escalation trojan

Latentbot family

LatentBot

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops startup file

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-11 01:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-11 01:51

Reported

2025-03-11 01:53

Platform

win7-20240903-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wkey.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12ce4e06a81e8d54fd01d9b762f1b1bb.exe C:\Users\Admin\AppData\Local\Temp\system.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12ce4e06a81e8d54fd01d9b762f1b1bb.exe C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." C:\Users\Admin\AppData\Local\Temp\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File opened for modification C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Alpine Snow\Wireless Key\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File created C:\Program Files (x86)\Alpine Snow\Wireless Key\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-8JES4.tmp C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-BRJ1J.tmp C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-E2EP4.tmp C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Alpine Snow\Wireless Key\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-Q03S2.tmp C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-5I9CV.tmp C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A
File opened for modification C:\Program Files (x86)\Wireless WEP Key Password Spy\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File opened for modification C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\WKey_demo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\system.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sys.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe N/A
N/A N/A C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\SysWOW64\sys.exe
PID 3052 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\SysWOW64\sys.exe
PID 3052 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\SysWOW64\sys.exe
PID 3052 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\SysWOW64\sys.exe
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 2408 wrote to memory of 2216 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp
PID 2408 wrote to memory of 2216 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp
PID 2408 wrote to memory of 2216 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp
PID 2408 wrote to memory of 2216 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp
PID 2408 wrote to memory of 2216 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp
PID 2408 wrote to memory of 2216 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp
PID 2408 wrote to memory of 2216 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp
PID 2472 wrote to memory of 2812 N/A C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 2472 wrote to memory of 2812 N/A C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 2472 wrote to memory of 2812 N/A C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 2472 wrote to memory of 2812 N/A C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 2812 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\system.exe C:\Windows\SysWOW64\netsh.exe
PID 2812 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\system.exe C:\Windows\SysWOW64\netsh.exe
PID 2812 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\system.exe C:\Windows\SysWOW64\netsh.exe
PID 2812 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\system.exe C:\Windows\SysWOW64\netsh.exe
PID 2216 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe
PID 2216 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe
PID 2216 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe
PID 2216 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Wkey.exe

"C:\Users\Admin\AppData\Local\Temp\Wkey.exe"

C:\Windows\SysWOW64\sys.exe

"C:\Windows\system32\sys.exe"

C:\Windows\WKey_demo.exe

"C:\Windows\WKey_demo.exe"

C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp" /SL5="$501D6,113279,54272,C:\Windows\WKey_demo.exe"

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE

C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe

"C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 themrbadboy.zapto.org udp

Files

\Windows\SysWOW64\sys.exe

MD5 14ea1ab95fe959e4c3ebab591040f438
SHA1 5f86acfaf6fa85344c771069f3efcc9b14bc8357
SHA256 043386e7b5d59cb0834ce4a6ef28c160186a1535198cc1cc761f53bf96c29da9
SHA512 cafb15d9257b776eea2f81c490515781468c57e26de7ad5f0c3861c37897b607f212e1702b39ae5eaec6a3ecd5913ecd8acd6dffcbc29621b090dc135429c83b

C:\Windows\WKey_demo.exe

MD5 3f4ed090be1461756b669f86cc591766
SHA1 666dbd68f56bb9f011a765378a4f3c152977c951
SHA256 15adf709e37e1342a24a1a59e0fe09452f7399755e54087b579b230b8d86f37a
SHA512 cb4b4d39088b7cafcd27d2403c6c130c439bcd4cf8dbd998bbd0847ecf1358b91aed743554273cbeae2dc29d3c0dff13e43c07a82d893fb7cb683d3ff684a56b

memory/2472-19-0x0000000074331000-0x0000000074332000-memory.dmp

memory/3052-22-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2408-23-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-CJ1J9.tmp\WKey_demo.tmp

MD5 c080f73b1bdde0853cb0258d9a02b0ec
SHA1 a5112a53e6e75069ac06b7bbd658f7cf2c8f2dee
SHA256 a0cfbc8da39ad4a4d21c61d73873d225ffa5d7650fae5938ab643f719d5f7363
SHA512 e514be3f983de22c0f67bac318686b7fe75cb6fd9832f3603077ad25c559155b7df71555b92bb6366835a104c8d2828cec2766fb7f855bd3f79f66319d6a5eac

\Users\Admin\AppData\Local\Temp\is-AVHQS.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2472-38-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2472-40-0x0000000074332000-0x0000000074334000-memory.dmp

memory/2408-39-0x0000000000401000-0x000000000040B000-memory.dmp

memory/2472-48-0x0000000074330000-0x00000000748DB000-memory.dmp

memory/2408-50-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-51-0x0000000000400000-0x00000000004BC000-memory.dmp

\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe

MD5 80d2df0444140e5dd15dba41ff09c734
SHA1 c83d30248f2c2acfa0507b1c6e1dfb4a37b149fb
SHA256 413f3fe2c4d3eecb7e3e9c7ec3b5b96d001e1debe41a643717abfee8fb0cd5da
SHA512 8c2f95c06d76a08cd45c537ef855237957a399f32bccdb1d60ca1f492be95b4aa6d64e8f95ed9dd335d8c4f1ce51e398a3b0eadf51fd5c5820e4ec65d9e7c0a3

\Program Files (x86)\Wireless WEP Key Password Spy\unins000.exe

MD5 bbbf6577b5eb9c6fba76d11b109a6900
SHA1 340452868dd093737d74e81b63baf7fc42f1bd20
SHA256 e9b00c0aebcee913dfb7ebc52e681c22543a2e0a7d9741c868a3dc0f182b7037
SHA512 386169b5bee0d4c83e398a7caef14126b2daa3046c4552aa6d87e713900fd3e60164b9aba788e89aa1be5450a767c7bc9624fe85b3709f26d0eea71aa59f7c7b

memory/2216-90-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2408-91-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-11 01:51

Reported

2025-03-11 01:53

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Wkey.exe"

Signatures

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\sys.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12ce4e06a81e8d54fd01d9b762f1b1bb.exe C:\Users\Admin\AppData\Local\Temp\system.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12ce4e06a81e8d54fd01d9b762f1b1bb.exe C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." C:\Users\Admin\AppData\Local\Temp\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .." C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File opened for modification C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Alpine Snow\Wireless Key\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File created C:\Program Files (x86)\Alpine Snow\Wireless Key\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-OU1KR.tmp C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-QKNL7.tmp C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-O5D6N.tmp C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-O4GPI.tmp C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A
File opened for modification C:\Program Files (x86)\Wireless WEP Key Password Spy\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A
File created C:\Program Files (x86)\Alpine Snow\Wireless Key\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File created C:\Program Files (x86)\Wireless WEP Key Password Spy\is-L7RLB.tmp C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
File opened for modification C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Wkey.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\WKey_demo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\system.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe N/A
N/A N/A C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\SysWOW64\sys.exe
PID 3104 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\SysWOW64\sys.exe
PID 3104 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\SysWOW64\sys.exe
PID 3104 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 3104 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 3104 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Local\Temp\Wkey.exe C:\Windows\WKey_demo.exe
PID 6104 wrote to memory of 6096 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp
PID 6104 wrote to memory of 6096 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp
PID 6104 wrote to memory of 6096 N/A C:\Windows\WKey_demo.exe C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp
PID 2628 wrote to memory of 3232 N/A C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 2628 wrote to memory of 3232 N/A C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 2628 wrote to memory of 3232 N/A C:\Windows\SysWOW64\sys.exe C:\Users\Admin\AppData\Local\Temp\system.exe
PID 3232 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\system.exe C:\Windows\SysWOW64\netsh.exe
PID 3232 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\system.exe C:\Windows\SysWOW64\netsh.exe
PID 3232 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\system.exe C:\Windows\SysWOW64\netsh.exe
PID 6096 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe
PID 6096 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe
PID 6096 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Wkey.exe

"C:\Users\Admin\AppData\Local\Temp\Wkey.exe"

C:\Windows\SysWOW64\sys.exe

"C:\Windows\system32\sys.exe"

C:\Windows\WKey_demo.exe

"C:\Windows\WKey_demo.exe"

C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp" /SL5="$90054,113279,54272,C:\Windows\WKey_demo.exe"

C:\Users\Admin\AppData\Local\Temp\system.exe

"C:\Users\Admin\AppData\Local\Temp\system.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE

C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe

"C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 95.100.153.143:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp
US 8.8.8.8:53 themrbadboy.zapto.org udp

Files

C:\Windows\SysWOW64\sys.exe

MD5 14ea1ab95fe959e4c3ebab591040f438
SHA1 5f86acfaf6fa85344c771069f3efcc9b14bc8357
SHA256 043386e7b5d59cb0834ce4a6ef28c160186a1535198cc1cc761f53bf96c29da9
SHA512 cafb15d9257b776eea2f81c490515781468c57e26de7ad5f0c3861c37897b607f212e1702b39ae5eaec6a3ecd5913ecd8acd6dffcbc29621b090dc135429c83b

C:\Windows\WKey_demo.exe

MD5 3f4ed090be1461756b669f86cc591766
SHA1 666dbd68f56bb9f011a765378a4f3c152977c951
SHA256 15adf709e37e1342a24a1a59e0fe09452f7399755e54087b579b230b8d86f37a
SHA512 cb4b4d39088b7cafcd27d2403c6c130c439bcd4cf8dbd998bbd0847ecf1358b91aed743554273cbeae2dc29d3c0dff13e43c07a82d893fb7cb683d3ff684a56b

memory/3104-27-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2628-33-0x0000000074A02000-0x0000000074A03000-memory.dmp

memory/6104-32-0x0000000000401000-0x000000000040B000-memory.dmp

memory/6104-29-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NQME4.tmp\WKey_demo.tmp

MD5 c080f73b1bdde0853cb0258d9a02b0ec
SHA1 a5112a53e6e75069ac06b7bbd658f7cf2c8f2dee
SHA256 a0cfbc8da39ad4a4d21c61d73873d225ffa5d7650fae5938ab643f719d5f7363
SHA512 e514be3f983de22c0f67bac318686b7fe75cb6fd9832f3603077ad25c559155b7df71555b92bb6366835a104c8d2828cec2766fb7f855bd3f79f66319d6a5eac

memory/2628-37-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/2628-38-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/6096-42-0x0000000000660000-0x0000000000661000-memory.dmp

memory/2628-54-0x0000000074A00000-0x0000000074FB1000-memory.dmp

memory/6104-56-0x0000000000400000-0x0000000000414000-memory.dmp

memory/6096-57-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/6096-58-0x0000000000660000-0x0000000000661000-memory.dmp

C:\Program Files (x86)\Wireless WEP Key Password Spy\WKey.exe

MD5 80d2df0444140e5dd15dba41ff09c734
SHA1 c83d30248f2c2acfa0507b1c6e1dfb4a37b149fb
SHA256 413f3fe2c4d3eecb7e3e9c7ec3b5b96d001e1debe41a643717abfee8fb0cd5da
SHA512 8c2f95c06d76a08cd45c537ef855237957a399f32bccdb1d60ca1f492be95b4aa6d64e8f95ed9dd335d8c4f1ce51e398a3b0eadf51fd5c5820e4ec65d9e7c0a3

memory/6096-89-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/6104-90-0x0000000000400000-0x0000000000414000-memory.dmp