Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1hlw6acd85
Target e3582e1202a0db99c881b1905092010b_JaffaCakes118
SHA256 bd2e5907d8cd980222629e406b520184dfe32628b550aeab607e6b28ab355f62
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd2e5907d8cd980222629e406b520184dfe32628b550aeab607e6b28ab355f62

Threat Level: Known bad

The file e3582e1202a0db99c881b1905092010b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:39

Reported

2024-04-06 21:42

Platform

win7-20240221-en

Max time kernel

163s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\vuode.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\vuode.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /U" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /z" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /q" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /E" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /I" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /J" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /K" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /r" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /c" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /m" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /b" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /C" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /a" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /o" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /v" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /w" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /G" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /B" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /h" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /T" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /Y" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /i" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /s" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /p" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /R" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /S" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /l" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /M" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /V" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /j" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /Z" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /y" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /H" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /D" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /X" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /u" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /L" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /n" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /f" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /x" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /g" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /O" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /P" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /W" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /A" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /F" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /Q" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /N" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /t" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /e" C:\Users\Admin\vuode.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuode = "C:\\Users\\Admin\\vuode.exe /d" C:\Users\Admin\vuode.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\vuode.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe C:\Users\Admin\vuode.exe
PID 2700 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe C:\Users\Admin\vuode.exe
PID 2700 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe C:\Users\Admin\vuode.exe
PID 2700 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe C:\Users\Admin\vuode.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 2612 wrote to memory of 2700 N/A C:\Users\Admin\vuode.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe"

C:\Users\Admin\vuode.exe

"C:\Users\Admin\vuode.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.player1253.com udp
US 8.8.8.8:53 ns1.videoall.net udp
US 8.8.8.8:53 ns1.mediashares.org udp
US 107.178.223.183:8000 ns1.mediashares.org tcp

Files

\Users\Admin\vuode.exe

MD5 a65ac1ddd9348c3c152d31689a9e7bdb
SHA1 48d710fec5a655c609a8e9d90931b1dd9f4da21b
SHA256 680be42ac241a4125325539f9aa9a96b809d05d8f6b6a9b94e2d1eaf0f16dc4e
SHA512 1c4f6fec0cc73ee81d175cfe17309ddbfa2baf5419edeef3149c85c0984f4e7af27b1fbdca400a9755d0b57c97993cecfa9a272967bb6ec0e34b909937d556c4

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:39

Reported

2024-04-06 21:41

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\gpkur.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\gpkur.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /z" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /D" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /w" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /P" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /X" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /n" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /a" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /m" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /S" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /F" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /c" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /Q" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /T" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /M" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /g" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /y" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /H" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /G" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /k" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /q" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /E" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /x" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /h" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /O" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /I" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /f" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /d" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /U" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /C" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /b" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /r" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /J" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /v" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /s" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /p" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /o" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /i" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /N" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /j" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /e" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /K" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /B" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /Z" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /R" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /L" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /l" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /Y" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /t" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /W" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /u" C:\Users\Admin\gpkur.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpkur = "C:\\Users\\Admin\\gpkur.exe /A" C:\Users\Admin\gpkur.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\gpkur.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe C:\Users\Admin\gpkur.exe
PID 1632 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe C:\Users\Admin\gpkur.exe
PID 1632 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe C:\Users\Admin\gpkur.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe
PID 3988 wrote to memory of 1632 N/A C:\Users\Admin\gpkur.exe C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3582e1202a0db99c881b1905092010b_JaffaCakes118.exe"

C:\Users\Admin\gpkur.exe

"C:\Users\Admin\gpkur.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.player1253.com udp
US 8.8.8.8:53 ns1.videoall.net udp
US 8.8.8.8:53 ns1.mediashares.org udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\gpkur.exe

MD5 87205b1d67554faf3da391e43072d688
SHA1 d31aa8fca1c04d149b121fa33b8150ac10beb24d
SHA256 cca00ff3eca744b57dea69f09906ab0c1776db6799bb1749fa6d1d9fcaac4acf
SHA512 867c1cefb7d8f501ae36dd5b5b5e1d11d3a2e4f7b6b55872e9517764d81af07a7dd925496f748e3866a2c4d9656724427acd8cdb99fe10af28c63400e89464c2