Analysis Overview
SHA256
88e6926483429d26ff92654a1c9f1977d30c577654cad7e733e4d916413f6b96
Threat Level: Known bad
The file JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c was found to be: Known bad.
Malicious Activity Summary
Strela family
Detects Strela Stealer payload
Loads dropped DLL
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-29 17:23
Signatures
Detects Strela Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Strela family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral18
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
101s
Max time network
146s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3432 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe |
| PID 3432 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe |
| PID 3432 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\Main.exe
"C:\Users\Admin\AppData\Local\Temp\bin\Main.exe"
C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe
NetKeeper.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 199.232.214.172:80 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win7-20240903-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win10v2004-20250314-en
Max time kernel
116s
Max time network
85s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 4012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1444 wrote to memory of 4012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1444 wrote to memory of 4012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4012 -ip 4012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 142.250.187.227:80 | tcp | |
| US | 199.232.210.172:80 | tcp | |
| US | 199.232.210.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4012-0-0x0000000000AF0000-0x0000000000B55000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 236
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win7-20240903-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 244
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win7-20241010-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\npf.vxd | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system\npf.vxd | C:\Windows\system32\cmd.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\98ipcap.bat"
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win7-20241010-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\msvcp60.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 224
Network
Files
memory/2184-1-0x00000000001E0000-0x0000000000245000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win10v2004-20250314-en
Max time kernel
102s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1964 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1964 wrote to memory of 2824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2824 -ip 2824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 660
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| IT | 91.81.129.181:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| IT | 91.81.129.181:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 142.250.187.227:80 | tcp | |
| IT | 91.81.129.181:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win7-20250207-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win7-20240903-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win7-20241010-en
Max time kernel
121s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\bmpres.dll,#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250313-en
Max time kernel
101s
Max time network
56s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4336 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4336 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4336 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 199.232.214.172:80 | tcp | |
| N/A | 199.232.214.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 142.250.187.227:80 | tcp | |
| N/A | 199.232.214.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250313-en
Max time kernel
101s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5052 wrote to memory of 3628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5052 wrote to memory of 3628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5052 wrote to memory of 3628 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\npptools.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3628 -ip 3628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win7-20240903-en
Max time kernel
37s
Max time network
17s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe"
C:\Program Files (x86)\ChinaNetSn\bin\srasport.exe
"C:\Program Files (x86)\ChinaNetSn\bin\srasport.exe" anxiaohui
Network
Files
\Users\Admin\AppData\Local\Temp\nstBBB2.tmp\System.dll
| MD5 | 10c44246d99a1c2e5f5e6b52b111a63d |
| SHA1 | 0f41da79c3e789f4ae38738e3a5d73c538f8af4f |
| SHA256 | 7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8 |
| SHA512 | e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3 |
C:\Users\Admin\AppData\Local\Temp\nstBBB2.tmp\ioSpecial.ini
| MD5 | a32169d6720f484fa583dfdba3816c20 |
| SHA1 | 323d1498d45ad3d2d332e3d6fc9ebe60dcd9695c |
| SHA256 | fc24b6a10aa2500e241a059f43b44adb14e9a4af39951b8f9368feca2eca6acf |
| SHA512 | d1eb28d7de74d014fbff745b7fc1fedb1bdf59b8c1dfe242928d40bdb8a30722b6c8a9b03f5833d6bf6bd390e6ac5f1ed5eabae94a3a54e84e372e366f965bc7 |
\Users\Admin\AppData\Local\Temp\nstBBB2.tmp\InstallOptions.dll
| MD5 | 1e8f2fefe3ce893b117b26948b8978cb |
| SHA1 | 59cfc6c3f5716e91609e54ca80ae8b06c93ef8ab |
| SHA256 | 8203ae1589a50e6ff012e5d27bdd4f8ed7506077ca9b052827f5e90aaeb98519 |
| SHA512 | b3c36e1aa5d3ee5f482f4175a7d6fe10cf2bf3bd3423ab4266d11c4181cfbc7e3f66a30855034a8ec026a4d5987598f0116e98519b7445d9e5687bcbab2c0e5c |
C:\Program Files (x86)\ChinaNetSn\plugin\EDC\SKIN\school\MSSCCPRJ.SCC
| MD5 | 0cf6771381dd14893497a24d7427af1a |
| SHA1 | 14cba86b8b85bc9abe7f567ab98334d1a19a3758 |
| SHA256 | 3558c2a61fc57b54f80eb03e0873196125d37e6f079cac807602736b19b312ad |
| SHA512 | 6cfecf0e0fdaec5624d5b539571ce41e45d335a3b9c9755cf49c7b1383b6b1b8499ac23800bdeeed6c7540a9090902344d759dcd401788f7adcc5f69a51b1f41 |
C:\Program Files (x86)\ChinaNetSn\plugin\EDC\SKIN\system\button_enter.bmp
| MD5 | 72aa5131841566021c4125b5060b5d03 |
| SHA1 | 75066bc5a5c36d6350515e075c71a546d387ea53 |
| SHA256 | 33bb9ca96efa1c7712187208c9d489c504e869a5d646c78c3b5722e456d32a3a |
| SHA512 | dfac9f08c61a0fadf4c742255f468b555c5308d2358e99a8265cd75246e873c3c3e371eae6380af29c4c2d36f69dd5759c632f05d6abeb18a2467c4bdbdf92bf |
C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\AddMeetingUser_2.bmp
| MD5 | e65808d2d1286615722ef257d64572a3 |
| SHA1 | 1bd7e8ebd8718bca7f3d89b9afd5d98c0f33bc5f |
| SHA256 | 17f5afcd124ce1b013c4ed380d05790025136c10ceefc8b7cbc7675ab4623f36 |
| SHA512 | f548139063a3482f0dc9d0749061f9ee10aa60cbd06669d93e92e3d4f79dc618ab68f005c29ab0d4044abfeb39a50a70a5b68b13fd618e37eda8e28e1154202d |
C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\AddMeetingUser_0.bmp
| MD5 | b4a210ce3a46d183b47b711840c5274a |
| SHA1 | 985bc4815fdcbe43a36e8ada247ece660bbffbcb |
| SHA256 | 349f6cfb44127451b5fcbfdbb5e24daf659ca61e6eb8bf87d449b0487fb3b4ed |
| SHA512 | 1e0c541417a41922402bb906d62e88cbd61d33d0e02a25b931bbb3ea2a6354bb6458bc769efe9e66b44a74442bd8b5965a929a44a5d4d79d744f30687bdaadf2 |
C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\calling_04.BMP
| MD5 | 2ec91d1ce2b3c7bf8b0bea1e5dfd76d2 |
| SHA1 | fc1985054309d788e2a7acee4114797f4dda4d9a |
| SHA256 | c89bb067d982388e97e6908a6090caf9f390876b414cd9a4d03848ba2146cc15 |
| SHA512 | 0598c7e2024b5bcaacbbb28d2b63ab90f6717691ac5f54c87a7df2ac706a3258346ee6c7099f5bda89efefa92a0900f762a5d23aca866fcaa11b021936dc6a9d |
C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\dialog-box_slidebar.BMP
| MD5 | 1509d4607def60f35d69ff55098d5c01 |
| SHA1 | 911d6aa1a8267f6f48cbb58682794e6743c0a307 |
| SHA256 | d993062bcd4a4fded4123a805f2c494b5e67e7013168021fce4e53afabf526f4 |
| SHA512 | 673eb9a657f2ec7c7b4b24bc790c4e157aa21e8b411d647e54bf69978576cc748ee5d61788c77eecd64baf5b8965c1996d3d93f6ec17dd7018b56dfde6f9a295 |
C:\Program Files (x86)\ChinaNetSn\plugin\EDC\dconf\SKIN\tab_09.bmp
| MD5 | 6118ea0ff98fbb784ea87c6e870becbd |
| SHA1 | f7edfd4c1c2c3127d45a4ab40d8e70d58f133b4b |
| SHA256 | 8fa69f2403c04d1ae412798b6bb7efd1639ff4569943b7a1ce2c8dc6e8999523 |
| SHA512 | 62a9223e965492c7afe526f0a04632f7725ab2f31428b6a48372f2aa6f9d7a7c2396739dbbbdf83e179e3657a731a1cd012b4ae217e62db345613b72ddf2c6d8 |
C:\Program Files (x86)\ChinaNetSn\bin\srasport.exe
| MD5 | 6d05bf5ebc761bff42890e231b4554d6 |
| SHA1 | f7053600daffa0f143d91562516335e03b1974d7 |
| SHA256 | 6240d2dbfe65901f2483b36dc34e220cddbffb5f68b89233b847a232c46f9f4a |
| SHA512 | 8bd01f1e03c337727953c2c2cfceee1fbe5d0c41ef79335e4c23a542a2dd9206a9f171753b05501e0d77709229f89ea4d2971460adb25af3b960972fdfc6a6ea |
\Program Files (x86)\ChinaNetSn\plugin\EDC\dc.exe
| MD5 | f3081446c9d261f90c8fde5d1732dba2 |
| SHA1 | d45c9b6b602b4f1491cb1174323626ef183e5fd1 |
| SHA256 | 1548371df6638dd9db821f3802c654e43cc0633368e78cb56af698f3fe17a8b4 |
| SHA512 | e8adf88d8504a9003f50f9255a3d9ca8816850e1c5dbdcc89a0222405a453fd7093a67ae73b39676316d30d6875bc7ab174a70fc9fb5059ad5e4ff987ae4ba57 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
104s
Max time network
146s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d08d410e92bb112cff5dcc9707c637c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsh7EC6.tmp\System.dll
| MD5 | 10c44246d99a1c2e5f5e6b52b111a63d |
| SHA1 | 0f41da79c3e789f4ae38738e3a5d73c538f8af4f |
| SHA256 | 7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8 |
| SHA512 | e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3 |
C:\Users\Admin\AppData\Local\Temp\nsh7EC6.tmp\ioSpecial.ini
| MD5 | 982966ee98b35361ee4b79353480e5ac |
| SHA1 | fdacadf0ba8c229928342cf0b6ce071f2da26403 |
| SHA256 | 4aff05a6067b65e89459c0f20a22abb3665f7cc01c33ad11b2c4f9389f1a1f2d |
| SHA512 | 30d28483c34826e9e6c3ec1a638cec9d9c484e9a6a515a19f2069b0fe5bb8afff850a8487e0f85bdb98bb582e323ed821751a56efe68564aed9ea58d187fbac9 |
C:\Users\Admin\AppData\Local\Temp\nsh7EC6.tmp\InstallOptions.dll
| MD5 | 1e8f2fefe3ce893b117b26948b8978cb |
| SHA1 | 59cfc6c3f5716e91609e54ca80ae8b06c93ef8ab |
| SHA256 | 8203ae1589a50e6ff012e5d27bdd4f8ed7506077ca9b052827f5e90aaeb98519 |
| SHA512 | b3c36e1aa5d3ee5f482f4175a7d6fe10cf2bf3bd3423ab4266d11c4181cfbc7e3f66a30855034a8ec026a4d5987598f0116e98519b7445d9e5687bcbab2c0e5c |
Analysis: behavioral17
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
142s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 1244 | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe |
| PID 1700 wrote to memory of 1244 | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe |
| PID 1700 wrote to memory of 1244 | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe |
| PID 1700 wrote to memory of 1244 | N/A | C:\Users\Admin\AppData\Local\Temp\bin\Main.exe | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\Main.exe
"C:\Users\Admin\AppData\Local\Temp\bin\Main.exe"
C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe
NetKeeper.exe
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win7-20240729-en
Max time kernel
61s
Max time network
21s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe
"C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe"
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
73s
Max time network
165s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe
"C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
112s
Max time network
48s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 199.232.210.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 199.232.210.172:80 | tcp | |
| N/A | 199.232.210.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 142.250.187.227:80 | tcp | |
| N/A | 199.232.210.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 256
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
88s
Max time network
170s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5068 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5068 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5068 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win10v2004-20250314-en
Max time kernel
102s
Max time network
148s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\npf.vxd | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system\npf.vxd | C:\Windows\system32\cmd.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$SYSDIR\98ipcap.bat"
Network
| Country | Destination | Domain | Proto |
| GB | 95.100.153.167:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win7-20240903-en
Max time kernel
122s
Max time network
144s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe
"C:\Users\Admin\AppData\Local\Temp\bin\DelEntry.exe"
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win7-20240903-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 2524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2168 wrote to memory of 2524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2168 wrote to memory of 2524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2168 wrote to memory of 2524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2168 wrote to memory of 2524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2168 wrote to memory of 2524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2168 wrote to memory of 2524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\Updatemode.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
134s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\bmpres.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win7-20240903-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\detector.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
145s
Max time network
179s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4508 wrote to memory of 4664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4508 wrote to memory of 4664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4508 wrote to memory of 4664 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4664 -ip 4664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
99s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 95.100.153.164:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
101s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4464 wrote to memory of 4600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4464 wrote to memory of 4600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4464 wrote to memory of 4600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\doload.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4600 -ip 4600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win10v2004-20250314-en
Max time kernel
114s
Max time network
129s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe
"C:\Users\Admin\AppData\Local\Temp\bin\bindconfirm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.167.249.196:443 | tcp | |
| N/A | 52.167.249.196:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| FR | 2.22.250.115:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 142.250.187.227:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| FR | 2.22.250.115:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| FR | 2.22.250.115:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:20
Platform
win7-20240729-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bin\DLmode.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 248
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2025-03-29 17:23
Reported
2025-03-29 19:21
Platform
win10v2004-20250314-en
Max time kernel
109s
Max time network
143s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe
"C:\Users\Admin\AppData\Local\Temp\bin\NetKeeper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |