Malware Analysis Report

2025-04-14 05:16

Sample ID 250329-vx752swls3
Target JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c
SHA256 88e6926483429d26ff92654a1c9f1977d30c577654cad7e733e4d916413f6b96
Tags
discovery strela
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88e6926483429d26ff92654a1c9f1977d30c577654cad7e733e4d916413f6b96

Threat Level: Known bad

The file JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c was found to be: Known bad.

Malicious Activity Summary

discovery strela

Strela family

Detects Strela Stealer payload

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-29 17:23

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Strela family

strela

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

101s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\Main.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\Main.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\Main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\Main.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\Main.exe

"C:\Users\Admin\AppData\Local\Temp\bin\Main.exe"

C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe

NetKeeper.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 199.232.214.172:80 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win7-20240903-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win10v2004-20250314-en

Max time kernel

116s

Max time network

85s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 4012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1444 wrote to memory of 4012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1444 wrote to memory of 4012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4012 -ip 4012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
N/A 142.250.187.227:80 tcp
US 199.232.210.172:80 tcp
US 199.232.210.172:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.111.227.13:443 tcp
US 8.8.8.8:53 udp

Files

memory/4012-0-0x0000000000AF0000-0x0000000000B55000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 236

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win7-20240903-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 244

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\98ipcap.bat"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\npf.vxd C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system\npf.vxd C:\Windows\system32\cmd.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\98ipcap.bat"

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win7-20241010-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 224

Network

N/A

Files

memory/2184-1-0x00000000001E0000-0x0000000000245000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win10v2004-20250314-en

Max time kernel

102s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2824 -ip 2824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 660

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
IT 91.81.129.181:80 tcp
US 8.8.8.8:53 udp
IT 91.81.129.181:80 tcp
US 8.8.8.8:53 udp
GB 142.250.187.227:80 tcp
IT 91.81.129.181:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.111.236.23:443 tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win7-20250207-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win7-20240903-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win7-20241010-en

Max time kernel

121s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\bmpres.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\bmpres.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250313-en

Max time kernel

101s

Max time network

56s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4336 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4336 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4336 wrote to memory of 5064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
N/A 199.232.214.172:80 tcp
N/A 199.232.214.172:80 tcp
US 8.8.8.8:53 udp
N/A 142.250.187.227:80 tcp
N/A 199.232.214.172:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.111.243.31:443 tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250313-en

Max time kernel

101s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5052 wrote to memory of 3628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5052 wrote to memory of 3628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5052 wrote to memory of 3628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win7-20240903-en

Max time kernel

37s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\ConferenceMgr.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\0804.xml C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\20.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\22.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\xlCredit.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\GIF89.DLL C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\NetKeeper.dat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\english.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\xinlientryxp.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\RTCS_Log.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\default_ad_view.html C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\skinmm.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\14.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\16.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\DLmode.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\Main.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\bindconfirm.dat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\config\basic.xml C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\ImageOle.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\defaultADGif.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\0.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\1.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\EDCUpdate.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\version.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\detector.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\doload.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\xinlientry98.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\readme.txt C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\100.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\12.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\Updatemode.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\ConfManagerDlld.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\13.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\15.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\17.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\18.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\19.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\2.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\bmpres.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\statistics2kup.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\xinlientry2k.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\config\config.xml C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\uninst.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\gpeerm.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\10.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\11.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\Emotions\21.gif C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\DRegClientDll.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\NetKeeper.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\bin\Settings.dat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A
File created C:\Program Files (x86)\ChinaNetSn\plugin\EDC\ConfManagerDll.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe"

C:\Program Files (x86)\ChinaNetSn\bin\srasport.exe

"C:\Program Files (x86)\ChinaNetSn\bin\srasport.exe" anxiaohui

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nstBBB2.tmp\System.dll

MD5 10c44246d99a1c2e5f5e6b52b111a63d
SHA1 0f41da79c3e789f4ae38738e3a5d73c538f8af4f
SHA256 7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8
SHA512 e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3

C:\Users\Admin\AppData\Local\Temp\nstBBB2.tmp\ioSpecial.ini

MD5 a32169d6720f484fa583dfdba3816c20
SHA1 323d1498d45ad3d2d332e3d6fc9ebe60dcd9695c
SHA256 fc24b6a10aa2500e241a059f43b44adb14e9a4af39951b8f9368feca2eca6acf
SHA512 d1eb28d7de74d014fbff745b7fc1fedb1bdf59b8c1dfe242928d40bdb8a30722b6c8a9b03f5833d6bf6bd390e6ac5f1ed5eabae94a3a54e84e372e366f965bc7

\Users\Admin\AppData\Local\Temp\nstBBB2.tmp\InstallOptions.dll

MD5 1e8f2fefe3ce893b117b26948b8978cb
SHA1 59cfc6c3f5716e91609e54ca80ae8b06c93ef8ab
SHA256 8203ae1589a50e6ff012e5d27bdd4f8ed7506077ca9b052827f5e90aaeb98519
SHA512 b3c36e1aa5d3ee5f482f4175a7d6fe10cf2bf3bd3423ab4266d11c4181cfbc7e3f66a30855034a8ec026a4d5987598f0116e98519b7445d9e5687bcbab2c0e5c

C:\Program Files (x86)\ChinaNetSn\plugin\EDC\SKIN\school\MSSCCPRJ.SCC

MD5 0cf6771381dd14893497a24d7427af1a
SHA1 14cba86b8b85bc9abe7f567ab98334d1a19a3758
SHA256 3558c2a61fc57b54f80eb03e0873196125d37e6f079cac807602736b19b312ad
SHA512 6cfecf0e0fdaec5624d5b539571ce41e45d335a3b9c9755cf49c7b1383b6b1b8499ac23800bdeeed6c7540a9090902344d759dcd401788f7adcc5f69a51b1f41

C:\Program Files (x86)\ChinaNetSn\plugin\EDC\SKIN\system\button_enter.bmp

MD5 72aa5131841566021c4125b5060b5d03
SHA1 75066bc5a5c36d6350515e075c71a546d387ea53
SHA256 33bb9ca96efa1c7712187208c9d489c504e869a5d646c78c3b5722e456d32a3a
SHA512 dfac9f08c61a0fadf4c742255f468b555c5308d2358e99a8265cd75246e873c3c3e371eae6380af29c4c2d36f69dd5759c632f05d6abeb18a2467c4bdbdf92bf

C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\AddMeetingUser_2.bmp

MD5 e65808d2d1286615722ef257d64572a3
SHA1 1bd7e8ebd8718bca7f3d89b9afd5d98c0f33bc5f
SHA256 17f5afcd124ce1b013c4ed380d05790025136c10ceefc8b7cbc7675ab4623f36
SHA512 f548139063a3482f0dc9d0749061f9ee10aa60cbd06669d93e92e3d4f79dc618ab68f005c29ab0d4044abfeb39a50a70a5b68b13fd618e37eda8e28e1154202d

C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\AddMeetingUser_0.bmp

MD5 b4a210ce3a46d183b47b711840c5274a
SHA1 985bc4815fdcbe43a36e8ada247ece660bbffbcb
SHA256 349f6cfb44127451b5fcbfdbb5e24daf659ca61e6eb8bf87d449b0487fb3b4ed
SHA512 1e0c541417a41922402bb906d62e88cbd61d33d0e02a25b931bbb3ea2a6354bb6458bc769efe9e66b44a74442bd8b5965a929a44a5d4d79d744f30687bdaadf2

C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\calling_04.BMP

MD5 2ec91d1ce2b3c7bf8b0bea1e5dfd76d2
SHA1 fc1985054309d788e2a7acee4114797f4dda4d9a
SHA256 c89bb067d982388e97e6908a6090caf9f390876b414cd9a4d03848ba2146cc15
SHA512 0598c7e2024b5bcaacbbb28d2b63ab90f6717691ac5f54c87a7df2ac706a3258346ee6c7099f5bda89efefa92a0900f762a5d23aca866fcaa11b021936dc6a9d

C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\dialog-box_slidebar.BMP

MD5 1509d4607def60f35d69ff55098d5c01
SHA1 911d6aa1a8267f6f48cbb58682794e6743c0a307
SHA256 d993062bcd4a4fded4123a805f2c494b5e67e7013168021fce4e53afabf526f4
SHA512 673eb9a657f2ec7c7b4b24bc790c4e157aa21e8b411d647e54bf69978576cc748ee5d61788c77eecd64baf5b8965c1996d3d93f6ec17dd7018b56dfde6f9a295

C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\tab_09.bmp

MD5 6118ea0ff98fbb784ea87c6e870becbd
SHA1 f7edfd4c1c2c3127d45a4ab40d8e70d58f133b4b
SHA256 8fa69f2403c04d1ae412798b6bb7efd1639ff4569943b7a1ce2c8dc6e8999523
SHA512 62a9223e965492c7afe526f0a04632f7725ab2f31428b6a48372f2aa6f9d7a7c2396739dbbbdf83e179e3657a731a1cd012b4ae217e62db345613b72ddf2c6d8

C:\Program Files (x86)\ChinaNetSn\bin\srasport.exe

MD5 6d05bf5ebc761bff42890e231b4554d6
SHA1 f7053600daffa0f143d91562516335e03b1974d7
SHA256 6240d2dbfe65901f2483b36dc34e220cddbffb5f68b89233b847a232c46f9f4a
SHA512 8bd01f1e03c337727953c2c2cfceee1fbe5d0c41ef79335e4c23a542a2dd9206a9f171753b05501e0d77709229f89ea4d2971460adb25af3b960972fdfc6a6ea

\Program Files (x86)\ChinaNetSn\plugin\EDC\dc.exe

MD5 f3081446c9d261f90c8fde5d1732dba2
SHA1 d45c9b6b602b4f1491cb1174323626ef183e5fd1
SHA256 1548371df6638dd9db821f3802c654e43cc0633368e78cb56af698f3fe17a8b4
SHA512 e8adf88d8504a9003f50f9255a3d9ca8816850e1c5dbdcc89a0222405a453fd7093a67ae73b39676316d30d6875bc7ab174a70fc9fb5059ad5e4ff987ae4ba57

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

104s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsh7EC6.tmp\System.dll

MD5 10c44246d99a1c2e5f5e6b52b111a63d
SHA1 0f41da79c3e789f4ae38738e3a5d73c538f8af4f
SHA256 7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8
SHA512 e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3

C:\Users\Admin\AppData\Local\Temp\nsh7EC6.tmp\ioSpecial.ini

MD5 982966ee98b35361ee4b79353480e5ac
SHA1 fdacadf0ba8c229928342cf0b6ce071f2da26403
SHA256 4aff05a6067b65e89459c0f20a22abb3665f7cc01c33ad11b2c4f9389f1a1f2d
SHA512 30d28483c34826e9e6c3ec1a638cec9d9c484e9a6a515a19f2069b0fe5bb8afff850a8487e0f85bdb98bb582e323ed821751a56efe68564aed9ea58d187fbac9

C:\Users\Admin\AppData\Local\Temp\nsh7EC6.tmp\InstallOptions.dll

MD5 1e8f2fefe3ce893b117b26948b8978cb
SHA1 59cfc6c3f5716e91609e54ca80ae8b06c93ef8ab
SHA256 8203ae1589a50e6ff012e5d27bdd4f8ed7506077ca9b052827f5e90aaeb98519
SHA512 b3c36e1aa5d3ee5f482f4175a7d6fe10cf2bf3bd3423ab4266d11c4181cfbc7e3f66a30855034a8ec026a4d5987598f0116e98519b7445d9e5687bcbab2c0e5c

Analysis: behavioral17

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\Main.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\Main.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\Main.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\Main.exe

"C:\Users\Admin\AppData\Local\Temp\bin\Main.exe"

C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe

NetKeeper.exe

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win7-20240729-en

Max time kernel

61s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe

"C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe"

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

73s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe

"C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

112s

Max time network

48s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
N/A 199.232.210.172:80 tcp
US 8.8.8.8:53 udp
N/A 199.232.210.172:80 tcp
N/A 199.232.210.172:80 tcp
US 8.8.8.8:53 udp
N/A 142.250.187.227:80 tcp
N/A 199.232.210.172:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.111.229.43:443 tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 256

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

88s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5068 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5068 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win10v2004-20250314-en

Max time kernel

102s

Max time network

148s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\98ipcap.bat"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\npf.vxd C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system\npf.vxd C:\Windows\system32\cmd.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\98ipcap.bat"

Network

Country Destination Domain Proto
GB 95.100.153.167:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe

"C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe"

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win7-20240903-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 2524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

134s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\bmpres.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\bmpres.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win7-20240903-en

Max time kernel

117s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 3040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

145s

Max time network

179s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4508 wrote to memory of 4664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4508 wrote to memory of 4664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4508 wrote to memory of 4664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

99s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"

Network

Country Destination Domain Proto
GB 95.100.153.164:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

101s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4464 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win10v2004-20250314-en

Max time kernel

114s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe

"C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
N/A 52.167.249.196:443 tcp
N/A 52.167.249.196:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FR 2.22.250.115:80 tcp
US 8.8.8.8:53 udp
GB 142.250.187.227:80 tcp
US 8.8.8.8:53 udp
FR 2.22.250.115:80 tcp
US 8.8.8.8:53 udp
FR 2.22.250.115:80 tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:20

Platform

win7-20240729-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 248

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2025-03-29 17:23

Reported

2025-03-29 19:21

Platform

win10v2004-20250314-en

Max time kernel

109s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp

Files

N/A