simda | d93ffa8d7084e845143e873f008fccf133d17cdf2f57e18c67c6f56ba7a278bf

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2025, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
Size

283KB
MD5

be6f20b2e737a97abdd7dd2c7c00961e
SHA1

831fb7c3e64470f814d5380999a453bae25580c5
SHA256

d93ffa8d7084e845143e873f008fccf133d17cdf2f57e18c67c6f56ba7a278bf
SHA512

fbe7aa6600d8606ea861571b1a748cfd2ccd9b876825d527bd4379ecac80ae099a6bb90eefbec69bef671ad05e74e5605867f4d5b0c1b5120d80635a307d60dd
SSDEEP

6144:fggjN08z6NtTzCJjvfCiCYBnrgH1l/jdN1IBonLdcJghNCGwPvLkNj:fzjx04JjbBnEHjB82nL5hNC9wZ

Score

10^/10

simda discovery persistence stealer trojan

Malware Config

Extracted

Family

simda

Attributes

dga
cihunemyror.eu

digivehusyd.eu

vofozymufok.eu

fodakyhijyv.eu

nopegymozow.eu

gatedyhavyd.eu

marytymenok.eu

jewuqyjywyv.eu

qeqinuqypoq.eu

kemocujufys.eu

rynazuqihoj.eu

lyvejujolec.eu

tucyguqaciq.eu

xuxusujenes.eu

puzutuqeqij.eu

ciliqikytec.eu

dikoniwudim.eu

vojacikigep.eu

fogeliwokih.eu

nofyjikoxex.eu

gadufiwabim.eu

masisokemep.eu

jepororyrih.eu

qetoqolusex.eu

keraborigin.eu

ryqecolijet.eu

lymylorozig.eu

tunujolavez.eu

xubifaremin.eu

puvopalywet.eu

cicaratupig.eu

dixemazufel.eu

volebatijub.eu

fokyxazolar.eu

nojuletacuf.eu

gahihezenal.eu

magofetequb.eu

jefapexytar.eu

qederepuduf.eu

kepymexihak.eu

rytuvepokuv.eu

lyruxyxaxaw.eu

tuwikypabud.eu

xuqohyxeqak.eu

pumadypyruv.eu

cinepycusaw.eu

divywysigud.eu

vocumucokaj.eu

foxivusozuc.eu

nozoxucavaq.eu

galokusemus.eu

makagucyraj.eu

jejedudupuc.eu

qegytuvufoq.eu

kefuwidijyp.eu

rydinivoloh.eu

lysovidacyx.eu

tupazivenom.eu

xutekidywyp.eu

puregivytoh.eu

ciqydofudyx.eu

dimutobihom.eu

voniqofolyt.eu

fobonobaxog.eu

novacofebyz.eu

gacezobeqon.eu

maxyjofytyt.eu

jeluganusog.eu

qekusagigyz.eu

kejitanokon.eu

ryhoqagoxyr.eu

lygananavof.eu

tufecagemyl.eu

xudylenyrob.eu

pupujeguper.eu

citifemifif.eu

dirosehijel.eu

voworemoziv.eu

foqaqehacew.eu

nomebemenid.eu

ganycyhywek.eu

mavulymupiv.eu

jecijyjudew.eu

qexofyqihid.eu

kezapyjolek.eu

ryleryqacic.eu

lykemujebeq.eu

tujybuqeqis.eu

xuguxujytej.eu

pufiluqudic.eu

cidohukigeq.eu

disafuwokis.eu

vopepukaxej.eu

fotyriwavix.eu

norumikemem.eu

gaquviwyrup.eu

mamixikusah.eu

jenokirifux.eu

qebahilojam.eu

kevedorozup.eu

rycypolavag.eu

lyxuworenuz.eu

tulimolywan.eu

xukovoruput.eu

pujoxolufag.eu

cihakotihuz.eu

digegazolan.eu

vofydatacut.eu

fodutazenaf.eu

nopiwatyqul.eu

gatonazytab.eu

maravatudur.eu

jewezexigaf.eu

qeqekepokul.eu

kemygexaxab.eu

rynudepebur.eu

lyvitexemod.eu

tucoqepyryk.eu

xuxanexusov.eu

puzecypigyw.eu

cilyzycojod.eu

dikujysozyk.eu

vojugycavov.eu

fogisysemyq.eu

nofotycywos.eu

gadaqusupyj.eu

masenucifoc.eu

jepycudijyq.eu

qetuluvolos.eu

kerijudacyj.eu

ryqofuvenoc.eu

lymosudyqym.eu

tunarivutop.eu

xubeqidudyh.eu

puvybivihox.eu

cicucifokym.eu

dixilibaxop.eu

volojifebeh.eu

fokafobeqix.eu

nojepofyren.eu

gaherobusit.eu

magymofigeg.eu

jefubonokiz.eu

qedixogazen.eu

kepolonavit.eu

rytahagemeg.eu

lyrefanyril.eu

tuwypagupeb.eu

xuquranifir.eu

pumumagojef.eu

cinivamolil.eu

divoxehaceb.eu

vocakemenir.eu

foxehehywef.eu

nozydemutik.eu

galupehudev.eu

makiwemihiw.eu

jejomejoled.eu

qegovyqaxuk.eu

kefaxyjebav.eu

rydekyqyquw.eu

lysygyjytad.eu

tupudyqusuj.eu

xutityjigac.eu

purowuqokuq.eu

ciqanukaxas.eu

dimevuwevuj.eu

vonezukemac.eu

fobykuwyruq.eu

novugukupap.eu

gaciduwifuh.eu

maxotikojax.eu

jelaqirozum.eu

qekenilacap.eu

kejycirenuh.eu

ryhuzilywax.eu

lygujirupum.eu

tufigolidat.eu

xudosorihug.eu

pupatololoz.eu

citeqotacyn.eu

dirynozebot.eu

vowucotyqyg.eu

foqilozutoz.eu

nomojatudyn.eu

ganofazigor.eu

mavasatokyf.eu

jeceraxaxol.eu

qexyqapevyb.eu

kezubaxemor.eu

rylicepyryf.eu

lykolexusol.eu

tujajepifyv.eu

xugefexojow.eu

pufepepazyd.eu

cidyrecavok.eu

disumesenyv.eu

vopibycywow.eu

fotoxysupyd.eu

noralycifok.eu

gaqehysohec.eu

mamyfycoliq.eu

jenupydaces.eu

qeburuvenij.eu

kevimudyqec.eu

rycovuvutiq.eu

lyxaxududes.eu

tulekuvigij.eu

xukyhudokex.eu

pujuduvaxim.eu

cihipifebep.eu

digowibymih.eu

vofomifyrex.eu

fodavibusim.eu

nopexifigep.eu

gatykibojig.eu

marugofazez.eu

jewidonevin.eu

qeqotogemet.eu

kemawonywig.eu

rynenogupez.eu

lyvevonifun.eu

tucyzogojat.eu

xuxukanoluf.eu

puzigagacal.eu

cilodamenub.eu

dikatahyqar.eu

vojeqamutuf.eu

fogynahidal.eu

nofucemihub.eu

gaduzehokar.eu

masijemaxud.eu

jepogejebak.eu

qetaseqyquv.eu

keretejuraw.eu

ryqyqequsud.eu

lymunyjigak.eu

tunicyqokuv.eu

xubolyjazaq.eu

puvojyqevus.eu

cicafykemaj.eu

dixesywyruc.eu

volyrukupoq.eu

fokuquwifys.eu

nojibukojoj.eu

gahocuwalyc.eu

magalukacom.eu

jefejurenyp.eu

qedefulywoh.eu

kepypirutyx.eu

ryturilidom.eu

lyrimirohyp.eu

tuwobiloloh.eu

xuqaxiraxyx.eu

pumelilebon.eu

cinyhotyqyt.eu

divufozutog.eu

vocupotusyz.eu

foxirozigon.eu

nozomotokyt.eu

galavozaxog.eu

makexotevyl.eu

jejykaxymob.eu

qeguhapyrer.eu

kefidaxupif.eu

rydopapifel.eu

lysowaxojib.eu

tupamapazer.eu

xutevexecif.eu

puryxepenek.eu

ciqukecywiv.eu

dimigesupew.eu

vonodecidid.eu

fobatesohek.eu

novewecoliv.eu

gacenysacew.eu

maxyvycebid.eu

jeluzydyqej.eu

qekikyvutic.eu

kejogydideq.eu

ryhadyvigis.eu

lygetudokej.eu

tufyquvaxic.eu

xudunudeveq.eu

pupucuvymup.eu

citizufurah.eu

dirojubusux.eu

vowagufifam.eu

foqesibojup.eu

nomytifazah.eu

ganuqibevux.eu

mavinifenam.eu

jecocinywut.eu

qexoligupag.eu

kezajonifuz.eu

rylefogohan.eu

lykysonalut.eu

tujurogacag.eu

xugiqonenuz.eu

pufobogyqan.eu

cidacomutur.eu

diselahidaf.eu

vopejamogul.eu

fotyfahokab.eu

norupamaxur.eu

gaqirahebof.eu

mamomamymyl.eu

jenabejurov.eu

qebexequsyw.eu

kevylejigod.eu

rycuheqojyk.eu

lyxufejazov.eu

tulipeqevyw.eu

xukorejymod.eu

pujamyqywyk.eu

cihevykupoc.eu

digyxywifyq.eu

vofukykojos.eu

fodihywalyj.eu

nopodykecoc.eu

gatopuwenyq.eu

marawukyqos.eu

jewemurutyj.eu

qeqyvulidox.eu

kemuxurohym.eu

rynikulokop.eu

lyvoguraxeh.eu

tucadilebix.eu

xuxetiryqem.eu

puzewilurip.eu

cilynitiseg.eu

dikuvizigiz.eu

vojizitoken.eu

fogokozazit.eu

nofagoteveg.eu

gadedozymiz.eu

masytoturen.eu

jepuqoxupit.eu

qetunopifef.eu

kericoxojil.eu

ryqozapaleb.eu

lymajaxecir.eu

tunegapenef.eu

xubysaxywil.eu

puvutaputeb.eu

ciciqacidir.eu

dixonesohed.eu

volocecaluk.eu

fokalesaxav.eu

nojejecebuw.eu

gahyfesyqad.eu

magusecutuk.eu

jefiredisav.eu

qedoqyvoguq.eu

kepabydokas.eu

rytecyvaxuj.eu

lyrelydevac.eu

tuwyjyvymuq.eu

xuqufyduras.eu

pumipuvupuj.eu

cinorufifac.eu

divamubojum.eu

vocebufazap.eu

foxyxubecuh.eu

nozulufynax.eu

galuhubywum.eu

makififupap.eu

jejopiniduh.eu

qegarigohox.eu

kefeminalyn.eu

rydyvigecot.eu

lysuxinebyg.eu

tupikogyqoz.eu

xutohonutyn.eu

purodogidot.eu

ciqapomogyg.eu

dimewohokol.eu

vonymomaxyb.eu

fobuvohevor.eu

novixamymyf.eu

gacokahurol.eu

maxagamisyb.eu

jeledajifor.eu

qeketaqojyf.eu

kejywajazok.eu

ryhuneqevyv.eu

lygivejynow.eu

tufozequwyd.eu

xudakejupok.eu

pupegeqifev.eu

citydekohiw.eu

dirutewaled.eu

vowuqykecij.eu

foqinywenec.eu

nomocykyqiq.eu

ganazywutes.eu

mavejykidij.eu

jecygyrogec.eu

qexusulakiq.eu

kezituraxep.eu

ryloqulebih.eu

lykonurymex.eu

tujaculurim.eu

xugelurisep.eu

pufyjulogih.eu

cidufitojex.eu

disisizazim.eu

voporitevet.eu

fotaqizymig.eu

norebituwez.eu

gaqecizupun.eu

mamylotifat.eu

jenujoxojug.eu

qebifopalaz.eu

kevopoxecun.eu

rycaropynar.eu

lyxemoxyquf.eu

tulyboputal.eu

xukuxaxidub.eu

pujulapohar.eu

cihihacakuf.eu

digofasexal.eu

vofapacebuv.eu

foderasyqaw.eu

nopymecurud.eu

gatuvesisak.eu

marixecoguv.eu

jewokedokaw.eu

qeqohevazud.eu

kemadedevak.eu

rynepevymuc.eu

lyvywyduroq.eu

tucumyvipys.eu

xuxivydifoj.eu

puzoxyvojyc.eu

cilakyfaloq.eu

dikegybecys.eu

vojedufynoj.eu

fogytubuwyx.eu

nofuwufutom.eu

gadinubidyp.eu

masovufohoh.eu

jepazunalyx.eu

qetekugexom.eu

keryginebyp.eu

ryqudigyqog.eu

lymutinutyz.eu

tuniqigison.eu

xuboninogyt.eu

puvacigakog.eu

cicezomaxyz.eu

dixyjohevon.eu

volugomymet.eu

fokisohurif.eu

nojotomipel.eu

gahoqohofib.eu

maganomojer.eu

jefecajazif.eu

qedylaqecel.eu

kepujajynib.eu

rytifaquwer.eu

lyrosajupid.eu

tuwaraqidek.eu

xuqeqejohiv.eu

pumebeqalew.eu

cinycekecid.eu

divulewybek.eu

vocijekyqiv.eu

foxofewuteq.eu

nozapekidis.eu

galerywogej.eu

makymykakic.eu

jejubyrexeq.eu

qeguxylevus.eu

kefilyrymaj.eu

rydohyluruc.eu

lysafurisam.eu

tupepulofup.eu

xutyrurojah.eu

purumulazux.eu

ciqivutevam.eu

dimoxuzynup.eu

vonokutuwah.eu

fobahizipux.eu

noveditifan.eu

gacypizohut.eu

maxuwitalag.eu

jelimixecuz.eu

qekovipynan.eu

kejaxoxuqut.eu

ryhekoputag.eu

lygegoxidul.eu

tufydopogab.eu

xudutoxakur.eu

pupiwopexof.eu

citonocebyl.eu

diravasymob.eu

vowezacuryr.eu

foqykasisof.eu

nomugacogyk.eu

ganudasajov.eu

mavitacazyw.eu

jecoqedevod.eu

qexanevymyk.eu

kezeceduwov.eu

rylyzevipyw.eu

lykujedofod.eu

tujigevojyj.eu

xugosedaloc.eu

pufotyvecyq.eu

cidaqyfynos.eu

disenybuqyj.eu

vopycyfutoc.eu

fotulybidyq.eu

norijyfohop.eu

gaqofubakeh.eu

mamasufexix.eu

jenerunybem.eu

qebequgyqip.eu

kevybunureh.eu

rycucugisix.eu

lyxilunogem.eu

tulojigakit.eu

xukafinezeg.eu

pujepigeviz.eu

cihyrimymen.eu

digumihurit.eu

vofubimipeg.eu

fodixohofiz.eu

nopolomojen.eu

gatahohalir.eu

marefomecef.eu

jewypojynil.eu

qequroquweb.eu

kemimojitir.eu

rynovaqidef.eu

lyvoxajohul.eu

tucakaqalav.eu

xuxehajexuw.eu

puzydaqybad.eu

cilupakuquk.eu

dikiwewutav.eu

vojomekisuw.eu

fogavewogad.eu

nofexekakuk.eu

gadekewexac.eu

masygekevuq.eu

jepuderymas.eu

qetityluruj.eu

kerowyripac.eu

ryqanylofuq.eu

lymevyrajas.eu

tunyzylazuj.eu

xubukyrecax.eu

puvugulynum.eu

cicidutuwap.eu

dixotuzipuh.eu

volaqutodox.eu

fokenuzohym.eu

nojycutalop.eu

gahuzuzecyg.eu

magijityboz.eu

jefogixuqyn.eu

qedosiputot.eu

kepatixidyg.eu

ryteqipogoz.eu

lyrynixakyn.eu

tuwucopexot.eu

xuqiloxyvyf.eu

pumojopymol.eu

cinafocuryb.eu

divesosisor.eu

vocerocofyf.eu

foxyqosajol.eu

nozubacezyb.eu

galicasevor.eu

makolacynyd.eu

jejajaduwok.eu

qegefavipev.eu

kefypadofiw.eu

rydurevohed.eu

lysumedalik.eu

tupibevecev.eu

xutoxedyniq.eu

puralevuqes.eu

ciqehefitij.eu

dimyfebidec.eu

vonupyfogiq.eu

fobirybakes.eu

novomyfexij.eu

gacovybybec.eu

maxaxyfumim.eu

jelekynurep.eu

qekyhugisih.eu

kejudunogex.eu

ryhipugajim.eu

lygowunezep.eu

tufamugevih.eu

xudevunymex.eu

pupexuguwun.eu

citykimipat.eu

dirugihofug.eu

vowidimajaz.eu

foqotihalun.eu

nomawimecat.eu

ganenihynug.eu

mavyvomuqal.eu

jecuzojitub.eu

qexukoqodar.eu

kezigojohuf.eu

rylodoqakal.eu

lykatojexub.eu

tujeqoqybar.eu

xugynajuquf.eu

pufucaqurak.eu

cidizakisuv.eu

disojawogaw.eu

vopogakakud.eu

fotasawezak.eu

noretekyvuv.eu

gaqyqewymow.eu

mamunekuryd.eu

jeniceripoj.eu

qebolelofyc.eu

kevajerajoq.eu

rycefelelys.eu

lyxesyrecoj.eu

tulyrylynyc.eu

xukuqyruwoq.eu

pujibylityp.eu

cihocytodoh.eu

digalyzohyx.eu

vofejutalom.eu

fodyfuzexyp.eu

nopuputyboh.eu

gaturuzuqyx.eu

marimutitom.eu

jewobuxisyt.eu

qeqaxupogog.eu

kemelixakyz.eu

rynyhipexon.eu

lyvufixyvet.eu

tucipipumig.eu

xuxorixurez.eu

puzomipipin.eu

cilavocofer.eu

dikexosajif.eu

vojykocezel.eu

foguhosecib.eu

nofidocyner.eu

gadoposuwif.eu

masawocipel.eu

jepemadodiv.eu

qetevavahew.eu

keryxadalid.eu

ryqukavecek.eu

lymigadybiv.eu

tunodavuqew.eu

xubateditid.eu

puvewevodek.eu

cicynefogic.eu

dixuvebakeq.eu

voluzefexus.eu

fokikebyvaj.eu

nojogefumuc.eu

gahadyburaq.eu

magetyfisus.eu

jefyqynofaj.eu

qedunygajux.eu

kepicynezam.eu

rytozygyvup.eu

lyrojunynah.eu

tuwaguguwux.eu

xuqesunipam.eu

pumytugofup.eu

cinuqumahag.eu

divinuheluz.eu

vococumecan.eu

foxalihynut.eu

nozejimuqag.eu

galefihituz.eu

makysimodan.eu

jejurijogut.eu

qegiqiqakof.eu

kefobojexyl.eu

rydacoqybob.eu

lyselojumyr.eu

tupyjoqirof.eu

xutufojisyl.eu

purupoqogob.eu

ciqirokajyr.eu

dimomawezod.eu

vonabakyvyk.eu

fobexawumov.eu

novylakuwyw.eu

gacuhawipod.eu

maxifakofyk.eu

jeloperajov.eu

qekorelelyq.eu

kejamerecos.eu

ryhevelynyj.eu

lygyxeruqoc.eu

tufukelityq.eu

xudiherodos.eu

pupodylahej.eu

citapytakic.eu

direwyzexem.eu

vowemytybip.eu

foqyvyzuqeh.eu

nomuxytirix.eu

ganikuzosem.eu

mavogutogip.eu

jecaduxakeh.eu

qexetupezix.eu

kezywuxyven.eu

rylunupumit.eu

lykuvuxureg.eu

tujizipipiz.eu

xugokixofen.eu

pufagipajit.eu

cidediceleg.eu

disytisycil.eu

vopuqicyneb.eu

fotinosuwir.eu

norococitef.eu

gaqozosodul.eu

mamajocahab.eu

jenegodelur.eu

qebysovexaf.eu

kevutodybuk.eu

ryciqavuqav.eu

lyxonadituw.eu

tulacavosad.eu

xukeladoguk.eu

pujejavakav.eu

cihyfafexuw.eu

digusebyvad.eu

vofirefumuj.eu

fodoqebirac.eu

nopabefipuq.eu

gatecebofas.eu

marylefajuj.eu

jewujenezac.eu

qequfygycuq.eu

kemipynunap.eu

rynoryguwuh.eu

lyvamynipox.eu

tucebygodym.eu

xuxyxynahop.eu

puzulugelyh.eu

cilihumecox.eu

dikofuhybym.eu

vojopumuqot.eu

fogaruhityg.eu

nofemumodoz.eu

gadyvuhagyn.eu

masuximakot.eu

jepikijexyg.eu

qetohiqyvoz.eu

keradijumyn.eu

ryqepiqiror.eu

lymewijosyf.eu

tunymoqofol.eu

xubuvojajyb.eu

puvixoqezor.eu

cicokokyvyf.eu

dixagowunol.eu

voledokuwev.eu

fokytowipiw.eu

nojuwakofed.eu

gahunawahik.eu

magivakelev.eu

jefozaryciw.eu

qedakalyned.eu

kepegaruqik.eu

rytydelitec.eu

lyruterodiq.eu

tuwiqelages.eu

xuqonerekij.eu

pumocelexec.eu

cinazetybiq.eu

divejezumes.eu

vocygytirij.eu

foxusyzosex.eu

nozitytogim.eu

galoqyzajep.eu

makanytezih.eu

jejecyxyvex.eu

qegelupumum.eu

kefyjuxiwap.eu

rydufupipug.eu

lysisuxofaz.eu

tuporupajun.eu

xutaquxelat.eu

purebupycug.eu

ciqycicunaz.eu

dimulisuqun.eu

vonujicitat.eu

fobifisoduf.eu

novopicahal.eu

gacarisekub.eu

maxemocexar.eu

jelybodybuf.eu

qekuxovuqal.eu

kejilodirub.eu

ryhohovosar.eu

lygofodagud.eu

tufapovakak.eu

xuderadezuv.eu

pupymavyvow.eu

cituvafumyd.eu

dirixabirok.eu

vowokafopyv.eu

foqahabofoq.eu

nomedefajys.eu

ganepebeloj.eu

mavywefycyc.eu

jecumenunoq.eu

qexiveguwys.eu

kezoxenitoj.eu

rylakegodyc.eu

lykegynahom.eu

tujydygelyp.eu

xugutynyxoh.eu

pufuwygybyx.eu

cidinymuqom.eu

disovyhityp.eu

vopazumosoh.eu

fotekuhagyx.eu

norygumekon.eu

gaquduhexet.eu

mamitumyvig.eu

jenoqujumez.eu

qebonuqirin.eu

kevacijopet.eu

ryceziqofig.eu

lyxyjijajel.eu

tulugiqezib.eu

xukisijycer.eu

pujotiqunif.eu

cihaqokiwel.eu

digenowipib.eu

vofecokoder.eu

fodylowahif.eu

nopujokelek.eu

gatifowyciv.eu

marosokubew.eu

jewararuqid.eu

qeqeqalitek.eu

kemybarodiv.eu

rynucalagew.eu

lyvularekud.eu

tucijalexaj.eu

xuxoferyvuc.eu

puzapelumaq.eu

cileretirus.eu

dikymezosaj.eu

vojubetafuc.eu

fogixezajaq.eu

nofoletezup.eu

gadohyzyvah.eu

masafytunux.eu

jepepyxiwam.eu

qetyrypopup.eu

kerumyxofah.eu

ryqivypahux.eu

lymoxuxelam.eu

tunakupycut.eu

xubehuxunag.eu

puvedupuquz.eu

cicypucitan.eu

dixuwusodut.eu

volimucagog.eu

fokovisekyz.eu

nojaxicyxon.eu

gahekisybyr.eu

magygicumof.eu

jefudidiryl.eu

qedutivosob.eu

kepiwodagyr.eu

rytonovejof.eu

lyravodezyl.eu

tuwezovyvov.eu

xuqykodumyw.eu

pumugoviwod.eu

cinidofopyk.eu

divotabofov.eu

vocoqafajyw.eu

foxanabelod.eu

nozecafycyk.eu

galyzabunoc.eu

makujafiqyq.eu

jejigenitos.eu

qegosegodej.eu

kefatenahic.eu

rydeqegekeq.eu

lysenenyxis.eu

tupycegubej.eu

xutulenuqix.eu

purijygirem.eu

ciqofymosip.eu

dimasyhageh.eu

vonerymekix.eu

fobyqyhezem.eu

novubymyvip.eu

gacucuhumeg.eu

maxilumiriz.eu

jelojujopen.eu

qekafuqafit.eu

kejepujajeg.eu

ryhyruqeliz.eu

lygumujycen.eu

tufibiqunit.eu

xudoxijiwef.eu

pupoliqotul.eu

citahikodab.eu

direfiwahur.eu

vowypikelaf.eu

foqurowyxul.eu

nomimokubab.eu

ganovowuqur.eu

mavaxokitad.eu

jecekorosuk.eu

qexeholagav.eu

kezydorekuw.eu

rylupalyxad.eu

lykiwaryvuk.eu

tujomalumav.eu

xugavariruq.eu

pufexalopas.eu

cidykatafuj.eu

disugezejac.eu

vopudetezuq.eu

fotitezycas.eu

norowetunuj.eu

gaqaneziwoc.eu

mamevetopym.eu

jenyzexodop.eu

qebukypahyh.eu

kevigyxelox.eu

rycodypycym.eu

lyxotyxubop.eu

tulaqypiqyh.eu

xukenyxitox.eu

pujycupodyn.eu

cihuzucagot.eu

digijusekyg.eu

vofogucyxoz.eu

fodasusuvyn.eu

nopetucumot.eu

gatequsiryg.eu

marynicosol.eu

jewucidafyb.eu

qeqilivejor.eu

kemojidezyf.eu

rynafivyvol.eu

lyvesiduneb.eu

tucyroviwir.eu

xuxuqodopef.eu

puzubovafik.eu

cilicofahev.eu

dikolobeliw.eu

vojajofyced.eu

fogefobunik.eu

nofypafiqev.eu

gadurabotiw.eu

masimafoded.eu

jepobanagij.eu

qetoxagekec.eu

keralanyxiq.eu

ryqehegubes.eu

lymyfenumij.eu

tunupegirec.eu

xubirenosiq.eu

puvomegagep.eu

cicavemejih.eu

dixexehyzex.eu

volekymyvum.eu

fokyhyhumap.eu

nojudymiwuh.eu

gahipyhopax.eu

magowymafum.eu

jefamyjejat.eu

qedevuqelug.eu

kepyxujycaz.eu

rytukuqunun.eu

lyrugujiqat.eu

tuwiduqotug.eu

xuqotujodaz.eu

pumawuqahun.eu

cinenikekar.eu

divyviwyxuf.eu

vocuzikubal.eu

foxikiwiqub.eu

nozogikirar.eu

galodiwosuf.eu

makatokagal.eu

jejeqorekuv.eu

qegynolyzow.eu

kefucoruvyd.eu

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE,"	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe

Simda family
simda
simda
Simda is an infostealer written in C++.
stealer trojan simda

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE"	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e85e2f = "°{#¯&Jñ.rÛð\"!N©ì4Ýc\x10Eb'\x15.d\x11ÅZl\x1e˜c…\x1c©nm<¶j`lÀ¹p\x1fÁ N\x03:Ð\x1dws\x14ë)žPŽuÐ™Yw&ýÈXìxi\x11\x14¨ŸJ\f\u008d0\x14=«O\n\\m\u0081—;Ë³ÙZSÅqá©åA¬!·lä«Ëù]\x0fù{œÕ'Ò8¦©ÕUó?c4+Ç\x10ÍºD±\x13¨±\"ïó\t¼cùÕBç\u00adÜ[\x10ý~¼Åý§…q\x03\f\t§I¹'¨ËÆ©úc;!º!\x11›?¯!ÑGŠâŸÓ?º!á\x7fä\x13\x17ýZ\"š¦\x17!O\u00adi¼»º³ÈÿZõÓúá{\u0081?\x1b‰+É\x19½½óÒ§=—‰¥\r§8å³Ï°ØB’.žï6\x1d+“Ù\x10Úâ•Ë9\u008d·"	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JAFFAC~1.EXE"	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sRyDWMMyp	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
File created	C:\Windows\SysWOW64\sRyDW¡	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
File opened for modification	C:\Windows\SysWOW64\amfwuaigceimritxumyd	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
Token: SeSecurityPrivilege	5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
Token: SeSecurityPrivilege	5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
Token: SeSecurityPrivilege	5384	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
Token: SeSecurityPrivilege	2688	JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 2688	3936	cmd.exe	95
PID 3936 wrote to memory of 2688	3936	cmd.exe	95
PID 3936 wrote to memory of 2688	3936	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be6f20b2e737a97abdd7dd2c7c00961e.exe
  C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2688-128-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/2688-129-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/5384-0-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/5384-1-0x0000000002330000-0x0000000002386000-memory.dmp

Filesize
344KB

Download
memory/5384-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5384-3-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/5384-4-0x0000000002390000-0x0000000002442000-memory.dmp

Filesize
712KB

Download
memory/5384-5-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/5384-6-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-10-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-8-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-87-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-93-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-117-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-116-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-115-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-114-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-113-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-111-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-110-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-109-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-108-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-107-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-106-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-105-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-103-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-102-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-100-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-99-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-97-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-96-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-95-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-94-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-92-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-91-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-90-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-89-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-88-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-86-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-85-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-84-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-82-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-81-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-80-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-79-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-78-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-76-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-75-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-74-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-72-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-71-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-70-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-69-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-112-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-68-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-67-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-66-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-104-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-65-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-101-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-64-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-98-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-63-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-83-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-77-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-73-0x0000000002680000-0x0000000002738000-memory.dmp

Filesize
736KB

Download
memory/5384-132-0x0000000002330000-0x0000000002386000-memory.dmp

Filesize
344KB

Download
memory/5384-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download