Malware Analysis Report

2025-08-11 01:07

Sample ID 240404-qqa5hshf88
Target b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118
SHA256 9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51

Threat Level: Known bad

The file b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Adds policy Run key to start application

Drops file in Drivers directory

Disables RegEdit via registry modification

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Discovers systems in the same network

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 13:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 13:27

Reported

2024-04-04 13:30

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6267422.exe" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4267427.exe\"" C:\Windows\SysWOW64\s4827\smss.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\s4827\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\s4827\smss.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4218c = "\"C:\\Windows\\_default26742.pif\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\s4827\smss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\s4827\smss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N4218c = "\"C:\\Windows\\j6267422.exe\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\s4827 C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\c_26742k.com C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Windows\SysWOW64\s4827\smss.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\c_26742k.com C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\c_26742k.com C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\s4827\smss.exe N/A
File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin C:\Windows\SysWOW64\s4827\smss.exe N/A
File created C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\smss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\j6267422.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\o4267427.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\_default26742.pif C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\_default26742.pif C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\o4267427.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\_default26742.pif C:\Windows\SysWOW64\s4827\smss.exe N/A
File created C:\Windows\j6267422.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\o4267427.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\j6267422.exe C:\Windows\SysWOW64\s4827\smss.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"

C:\Windows\SysWOW64\s4827\smss.exe

"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~

Network

N/A

Files

memory/2044-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\c_26742k.com

MD5 b98322e43d25ba7b38c3417dda1e16a4
SHA1 a393719aadb658cca5ad6d151802ad35350b0c67
SHA256 9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51
SHA512 311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec

memory/2784-22-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 13:27

Reported

2024-04-04 13:30

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" C:\Windows\Ad10218\qm4623.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" C:\Windows\Ad10218\qm4623.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" C:\Windows\SysWOW64\s4827\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" C:\Windows\SysWOW64\s4827\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" C:\Windows\SysWOW64\s4827\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" C:\Windows\SysWOW64\s4827\m4623.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" C:\Windows\SysWOW64\s4827\m4623.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4251227.exe\"" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6251222.exe" C:\Windows\SysWOW64\s4827\lsass.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\s4827\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Ad10218\qm4623.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\s4827\m4623.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\s4827\services.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\s4827\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\s4827\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Ad10218\qm4623.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\s4827\m4623.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\s4827\smss.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" C:\Windows\SysWOW64\s4827\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Windows\SysWOW64\s4827\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" C:\Windows\SysWOW64\s4827\m4623.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Windows\SysWOW64\s4827\m4623.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Windows\SysWOW64\s4827\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" C:\Windows\SysWOW64\s4827\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" C:\Windows\Ad10218\qm4623.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3948c = "\"C:\\Windows\\_default25122.pif\"" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" C:\Windows\Ad10218\qm4623.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\s4827\services.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\s4827\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Ad10218\qm4623.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\s4827\m4623.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\s4827\csrss.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\s4827\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\s4827\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" C:\Windows\SysWOW64\s4827\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" C:\Windows\SysWOW64\s4827\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Windows\SysWOW64\s4827\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" C:\Windows\SysWOW64\s4827\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Windows\Ad10218\qm4623.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" C:\Windows\SysWOW64\s4827\m4623.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Windows\SysWOW64\s4827\services.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" C:\Windows\SysWOW64\s4827\services.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" C:\Windows\SysWOW64\s4827\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3948c = "\"C:\\Windows\\j6251222.exe\"" C:\Windows\Ad10218\qm4623.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" C:\Windows\SysWOW64\s4827\m4623.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\s4827\lsass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Ad10218\qm4623.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\c_25122k.com C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin C:\Windows\SysWOW64\s4827\smss.exe N/A
File created C:\Windows\SysWOW64\s4827\domlist.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\lsass.exe N/A
File created C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Windows\Ad10218\qm4623.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Windows\SysWOW64\s4827\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\c_25122k.com C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\m4623.exe N/A
File opened for modification C:\Windows\SysWOW64\c_25122k.com C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Windows\SysWOW64\s4827\services.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Windows\Ad10218\qm4623.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Windows\SysWOW64\s4827\m4623.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\services.exe N/A
File created C:\Windows\SysWOW64\s4827\lsass.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\c_25122k.com C:\Windows\Ad10218\qm4623.exe N/A
File created C:\Windows\SysWOW64\s4827\c.bron.tok.txt C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\lsass.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\s4827\m4623.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\s4827\lsass.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\domlist.txt C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Windows\SysWOW64\s4827\services.exe N/A
File opened for modification C:\Windows\SysWOW64\c_25122k.com C:\Windows\SysWOW64\s4827\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\c_25122k.com C:\Windows\SysWOW64\s4827\m4623.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\s4827\csrss.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\Ad10218\qm4623.exe N/A
File created C:\Windows\SysWOW64\s4827\Spread.Mail.Bro\[email protected] C:\Windows\SysWOW64\s4827\services.exe N/A
File created C:\Windows\SysWOW64\s4827\services.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File created C:\Windows\SysWOW64\s4827\csrss.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\s4827\services.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\services.exe N/A
File opened for modification C:\Windows\SysWOW64\c_25122k.com C:\Windows\SysWOW64\s4827\services.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\Ad10218\qm4623.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\c_25122k.com C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\services.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\csrss.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Windows\SysWOW64\s4827\m4623.exe N/A
File opened for modification C:\Windows\SysWOW64\c_25122k.com C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe C:\Windows\Ad10218\qm4623.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\s4827\m4623.exe N/A
File opened for modification C:\Windows\SysWOW64\s4827 C:\Windows\SysWOW64\s4827\csrss.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\csrss.exe N/A
File created C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\lsass.exe N/A
File created C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\smss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\o4251227.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Ad10218\qm4623.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\o4251227.exe C:\Windows\SysWOW64\s4827\services.exe N/A
File opened for modification C:\Windows\_default25122.pif C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\j6251222.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\Ad10218 C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\_default25122.pif C:\Windows\Ad10218\qm4623.exe N/A
File created C:\Windows\j6251222.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\j6251222.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\_default25122.pif C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\j6251222.exe C:\Windows\Ad10218\qm4623.exe N/A
File opened for modification C:\Windows\o4251227.exe C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened for modification C:\Windows\o4251227.exe C:\Windows\Ad10218\qm4623.exe N/A
File opened for modification C:\Windows\_default25122.pif C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\o4251227.exe C:\Windows\SysWOW64\s4827\smss.exe N/A
File opened for modification C:\Windows\j6251222.exe C:\Windows\SysWOW64\s4827\csrss.exe N/A
File opened for modification C:\Windows\_default25122.pif C:\Windows\SysWOW64\s4827\lsass.exe N/A
File opened for modification C:\Windows\o4251227.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File opened for modification C:\Windows\_default25122.pif C:\Windows\SysWOW64\s4827\services.exe N/A
File opened for modification C:\Windows\o4251227.exe C:\Windows\SysWOW64\s4827\m4623.exe N/A
File created C:\Windows\o4251227.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\j6251222.exe C:\Windows\SysWOW64\s4827\lsass.exe N/A
File created C:\Windows\Ad10218\qm4623.exe C:\Windows\SysWOW64\s4827\winlogon.exe N/A
File created C:\Windows\j6251222.exe C:\Windows\Ad10218\qm4623.exe N/A
File opened for modification C:\Windows\_default25122.pif C:\Windows\SysWOW64\s4827\m4623.exe N/A
File created C:\Windows\_default25122.pif C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\j6251222.exe C:\Windows\SysWOW64\s4827\services.exe N/A
File opened for modification C:\Windows\_default25122.pif C:\Windows\SysWOW64\s4827\csrss.exe N/A
File opened for modification C:\Windows\j6251222.exe C:\Windows\SysWOW64\s4827\m4623.exe N/A
File opened for modification C:\Windows\j6251222.exe C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\o4251227.exe C:\Windows\SysWOW64\s4827\csrss.exe N/A

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\s4827\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4920 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe C:\Windows\SysWOW64\s4827\smss.exe
PID 4920 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe C:\Windows\SysWOW64\s4827\smss.exe
PID 4920 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe C:\Windows\SysWOW64\s4827\smss.exe
PID 4476 wrote to memory of 3832 N/A C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\winlogon.exe
PID 4476 wrote to memory of 3832 N/A C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\winlogon.exe
PID 4476 wrote to memory of 3832 N/A C:\Windows\SysWOW64\s4827\smss.exe C:\Windows\SysWOW64\s4827\winlogon.exe
PID 3832 wrote to memory of 3472 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\services.exe
PID 3832 wrote to memory of 3472 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\services.exe
PID 3832 wrote to memory of 3472 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\services.exe
PID 3832 wrote to memory of 2488 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\csrss.exe
PID 3832 wrote to memory of 2488 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\csrss.exe
PID 3832 wrote to memory of 2488 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\csrss.exe
PID 3832 wrote to memory of 4900 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\lsass.exe
PID 3832 wrote to memory of 4900 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\lsass.exe
PID 3832 wrote to memory of 4900 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\lsass.exe
PID 3832 wrote to memory of 3496 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\Ad10218\qm4623.exe
PID 3832 wrote to memory of 3496 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\Ad10218\qm4623.exe
PID 3832 wrote to memory of 3496 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\Ad10218\qm4623.exe
PID 3832 wrote to memory of 2688 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\m4623.exe
PID 3832 wrote to memory of 2688 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\m4623.exe
PID 3832 wrote to memory of 2688 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\s4827\m4623.exe
PID 3832 wrote to memory of 928 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 3832 wrote to memory of 928 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 3832 wrote to memory of 928 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 3832 wrote to memory of 392 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 3832 wrote to memory of 392 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 3832 wrote to memory of 392 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 3832 wrote to memory of 5064 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 3832 wrote to memory of 5064 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 3832 wrote to memory of 5064 N/A C:\Windows\SysWOW64\s4827\winlogon.exe C:\Windows\SysWOW64\at.exe
PID 4900 wrote to memory of 4036 N/A C:\Windows\SysWOW64\s4827\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4036 N/A C:\Windows\SysWOW64\s4827\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4036 N/A C:\Windows\SysWOW64\s4827\lsass.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4036 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4036 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b98322e43d25ba7b38c3417dda1e16a4_JaffaCakes118.exe"

C:\Windows\SysWOW64\s4827\smss.exe

"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~

C:\Windows\SysWOW64\s4827\winlogon.exe

"C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~

C:\Windows\SysWOW64\s4827\services.exe

"C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~

C:\Windows\SysWOW64\s4827\csrss.exe

"C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~

C:\Windows\SysWOW64\s4827\lsass.exe

"C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~

C:\Windows\Ad10218\qm4623.exe

"C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~

C:\Windows\SysWOW64\s4827\m4623.exe

"C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~

C:\Windows\SysWOW64\at.exe

"C:\Windows\System32\at.exe" /delete /y

C:\Windows\SysWOW64\at.exe

"C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"

C:\Windows\SysWOW64\at.exe

"C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"

C:\Windows\SysWOW64\net.exe

net view /domain

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 201.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4920-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\c_25122k.com

MD5 b98322e43d25ba7b38c3417dda1e16a4
SHA1 a393719aadb658cca5ad6d151802ad35350b0c67
SHA256 9b5efb363cb8516b3515051b3299689e23e34f1b2444fc2234233148a2f30e51
SHA512 311599e2885fe7e4ccb4bad5d0c4d6ee948cf14307c5885b64398fd861951d86581406545395845daa666984b6f5eb2dbe6fcde66e13202033970b46623efeec

memory/4476-45-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\s4827\winlogon.exe

MD5 43683a4440b56ea4d970c69f58b3fc6f
SHA1 21ae77d2ec00138f45cfe1282d1147f3a213c988
SHA256 d69550dff7298724248f01164066b715ab8117346b43d78294d102039f41a1da
SHA512 a06adc52c0e0d3cbedafe1368f4790365f890b117481d0d3b328d29cc0b60a796b4c0a42b562a071ed27e916b62623cef2863910f7ced1ef42b91b159e744ef3

memory/3832-72-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Windows\SysWOW64\s4827\lsass.exe

MD5 b3c64b09b9545db87fb18d1c61eea5e4
SHA1 304279ac23e6fbc57ddf944b0bc7d5411cbe5b43
SHA256 e53ba6b4b3653c15b1215d9861b8cbd23cb6abc9f1e2aa8d5439fb8686f1799d
SHA512 bef8d808dd4c37038b3f3228c6b9d165702e439b43106ba0d5406015eaaa46400c80e4bd6d3ac6a13eb67efd79576ac3da9ffed04cdc6e41f0f589c6dd1f4c4b

C:\Windows\Ad10218\qm4623.exe

MD5 d7c9c847bb18e1d8d660a8d7131a0bd4
SHA1 e71a019cd991b55a0d2dbe28fd6849ad3fb5652f
SHA256 0bec29a05754b63ec110080bf220584759ffbf0aa73afb702babed788329d855
SHA512 45d44a5fdb76e3106f6f7d0f87cff33c4c989e06e6ac1d15b48d864710b8c81cc77e1e0737c33fca3ffeba45b5727e1f0d73a4a14995fa74c7d117bc7d23b4d7

C:\Windows\SysWOW64\s4827\m4623.exe

MD5 87e74a75a08c6314c15653161ae3fe37
SHA1 3c8be278b74c15d3c2770ab89ba98aff1aaf2130
SHA256 4ab2da8beaf54f5e68844d2450973b4f98a7110ad732a45e13c55aa18eb0c634
SHA512 ea287553c6eb2b5c7f4b0e2105cff3f3d7a2a43ae8799f91e883f556579e5e1cc1b03eadf1f9a4e7388d5cce0a2874a2b6835be9137e2633457452cbf83b648c

memory/4900-145-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3496-149-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2688-164-0x0000000000400000-0x0000000000417000-memory.dmp