Analysis Overview
SHA256
4a32f239b21f46400b6c7cc0609f86332bfd4057bc50694b95f1b11b66a169c5
Threat Level: Known bad
The file e3611c36481789b102764405e05b5680_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:58
Reported
2024-04-06 22:01
Platform
win7-20240221-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\nvgoz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\nvgoz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /K" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /p" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /v" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /b" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /e" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /A" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /a" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /S" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /O" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /B" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /C" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /W" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /n" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /m" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /t" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /N" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /G" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /F" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /M" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /k" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /g" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /E" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /j" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /D" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /o" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /J" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /l" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /x" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /y" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /X" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /d" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /U" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /q" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /V" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /u" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /I" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /c" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /z" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /Y" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /r" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /s" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /L" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /f" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /H" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /Q" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /R" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /T" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /i" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /w" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /Z" | C:\Users\Admin\nvgoz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nvgoz = "C:\\Users\\Admin\\nvgoz.exe /h" | C:\Users\Admin\nvgoz.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\nvgoz.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1752 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | C:\Users\Admin\nvgoz.exe |
| PID 1752 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | C:\Users\Admin\nvgoz.exe |
| PID 1752 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | C:\Users\Admin\nvgoz.exe |
| PID 1752 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | C:\Users\Admin\nvgoz.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe"
C:\Users\Admin\nvgoz.exe
"C:\Users\Admin\nvgoz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 107.178.223.183:8000 | ns1.player1532.com | tcp |
Files
\Users\Admin\nvgoz.exe
| MD5 | ebbfdcfb9d6a2b9054e53b6658734037 |
| SHA1 | 63e8f13a96857776ca875972b3d6db919ac2527a |
| SHA256 | 9b5201f93151c32225b5622e3527f22eb0569e4a2a8e5b84e850cc15d15266e0 |
| SHA512 | 4a2e6acf0ea22ceff37d9bb9259bcf7ec47e10e691cc730c5403616b73c80fcff9847a0c08c3d6ac6c4c2faf8a75c8f7e6868ecc6962f79abd00127e30217b56 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:58
Reported
2024-04-06 22:01
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\weinow.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\weinow.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /o" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /F" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /Q" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /j" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /D" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /u" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /S" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /L" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /p" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /l" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /M" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /h" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /R" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /q" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /V" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /b" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /v" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /k" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /I" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /e" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /w" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /s" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /m" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /X" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /N" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /n" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /G" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /T" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /z" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /f" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /O" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /t" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /Z" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /E" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /g" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /H" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /J" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /W" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /i" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /B" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /P" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /U" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /r" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /A" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /d" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /K" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /y" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /a" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /C" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /x" | C:\Users\Admin\weinow.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\weinow = "C:\\Users\\Admin\\weinow.exe /Y" | C:\Users\Admin\weinow.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\weinow.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5096 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | C:\Users\Admin\weinow.exe |
| PID 5096 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | C:\Users\Admin\weinow.exe |
| PID 5096 wrote to memory of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe | C:\Users\Admin\weinow.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3611c36481789b102764405e05b5680_JaffaCakes118.exe"
C:\Users\Admin\weinow.exe
"C:\Users\Admin\weinow.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\weinow.exe
| MD5 | 01d443606933e6371866ac3e30b7bda6 |
| SHA1 | d387ce32d078b8abf572b0d20679f2d88a6f8874 |
| SHA256 | 8c17e028bccd1e1f17f2c48c2fe460afd0a727ff0ee1402044476946c45f4835 |
| SHA512 | 1a7c417bbfb36abaaa62a2da238712b71e4fef138ef613463781b413508c055ede2c56117a726a7ca902b91d104d707aa4b03637a5451eb2090da17f36509a4a |