Malware Analysis Report

2025-06-15 19:50

Sample ID 240406-ft9r5scb98
Target dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118
SHA256 7b014711b716b2b4258214c6a4e2a2643d29403371dbcd717bd042d391299d7d
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7b014711b716b2b4258214c6a4e2a2643d29403371dbcd717bd042d391299d7d

Threat Level: Shows suspicious behavior

The file dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 05:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 05:11

Reported

2024-04-06 05:13

Platform

win7-20240221-en

Max time kernel

149s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\Journal.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\virDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2664 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2664 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2664 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2780 wrote to memory of 1368 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2780 wrote to memory of 1368 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1692 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
PID 1692 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
PID 1692 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
PID 1692 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4C7B.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\$$a4C7B.bat

MD5 8d1b5144280099263f4992649a8dd2fa
SHA1 67507d7af94e029746a15815d4fe3b2b3bdf07bf
SHA256 c19a88e5cb48f25127a10d7fe223f9beaba761fb05be5ad8472ba3b07f97c5ce
SHA512 8177a495b83f5853694461e35fd3331252d9a7edd4ef8363a2d5622f99f4e6eaec950166c91491a4b93b5846777ebef53cba9eeb7819c486c34ebec33f0998c5

C:\Windows\Logo1_.exe

MD5 a7dcffd56f068633bfaf85ec3d65d08b
SHA1 36cba2a5522ebd673107d63f9d8e1afbdfa236b6
SHA256 409f7415b7b10f6d801014ac6b0e3cea785ad5a73ba397f46765bbd3dcf36367
SHA512 78dc44535430d92307bfbd5b679159f7032306f3f818b0d5a3264347c227bd8edd0ae07bd9f6beaf91c33ee81a451d01177d08c254ace779dfd66ab9666bf6d1

memory/2664-14-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1368-19-0x00000000026F0000-0x00000000026F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe.exe

MD5 bde3ac1c9b09fc1b55c6e398009a9c83
SHA1 fa99711be9d0812383d1f41e9277bd3ba71eb09f
SHA256 059263f4b3635da33f1bae9789b13f287bce7b8dedc960201e8807e6de9b3fc5
SHA512 af2ff4728885c6319800f98f4f639f836eb4713272d3dbf38c5f473b91b398747ce6bdc56d32cd0fc2ddc88f3ba1b99e170e6f679341d4c3e5a9eafaf3930e99

memory/2780-240-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 05:11

Reported

2024-04-06 05:13

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdate.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe N/A
File created C:\Windows\virDll.dll C:\Windows\Logo1_.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 624 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 624 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe C:\Windows\Logo1_.exe
PID 2508 wrote to memory of 3452 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2508 wrote to memory of 3452 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2360 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
PID 2360 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
PID 2360 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FF5.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Windows\Logo1_.exe

MD5 a7dcffd56f068633bfaf85ec3d65d08b
SHA1 36cba2a5522ebd673107d63f9d8e1afbdfa236b6
SHA256 409f7415b7b10f6d801014ac6b0e3cea785ad5a73ba397f46765bbd3dcf36367
SHA512 78dc44535430d92307bfbd5b679159f7032306f3f818b0d5a3264347c227bd8edd0ae07bd9f6beaf91c33ee81a451d01177d08c254ace779dfd66ab9666bf6d1

memory/624-7-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 6f1d1fa4eebaf55531b107d0cede0945
SHA1 f659488b079270563a08968ebcbcb6d4ba9abec8
SHA256 4328b24e4273afefe2c1e11ab1c8d1080e1f36bac1ad506cc6f486c15ee65fc4
SHA512 e45e78e47699aa14f0b83c234b0a8095232f48be713f82c81ca07a014b9c5fc180db6ebcd7e48716a3852c6c9dc19d03d84f90a339f20427fd6114330d13c012

C:\Users\Admin\AppData\Local\Temp\$$a4FF5.bat

MD5 decbfff3afc5024361240f9397ea1379
SHA1 00f5f841de2ecedfde30ea01bd1ca0ebb0074771
SHA256 caf195d9e5ff28e52d9a9e41417c2c483e13c1eed2b9dfe792b33dbb26c50235
SHA512 cd9775fb8c4d4b8361e2a84460719d5d827e32f15677904ac604badca731e248588194ae74f40821f96864a232d79fc3fd338d624597292e3e036101128ff574

C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe.exe

MD5 bde3ac1c9b09fc1b55c6e398009a9c83
SHA1 fa99711be9d0812383d1f41e9277bd3ba71eb09f
SHA256 059263f4b3635da33f1bae9789b13f287bce7b8dedc960201e8807e6de9b3fc5
SHA512 af2ff4728885c6319800f98f4f639f836eb4713272d3dbf38c5f473b91b398747ce6bdc56d32cd0fc2ddc88f3ba1b99e170e6f679341d4c3e5a9eafaf3930e99

memory/2508-223-0x0000000000400000-0x0000000000422000-memory.dmp