Analysis Overview
SHA256
7b014711b716b2b4258214c6a4e2a2643d29403371dbcd717bd042d391299d7d
Threat Level: Shows suspicious behavior
The file dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 05:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 05:11
Reported
2024-04-06 05:13
Platform
win7-20240221-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\Journal.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\sidebar.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaw.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\misc.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\Chess.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\orbd.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wabmig.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\WinMail.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\PDIALOG.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wab.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javacpl.exe | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\virDll.dll | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4C7B.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\$$a4C7B.bat
| MD5 | 8d1b5144280099263f4992649a8dd2fa |
| SHA1 | 67507d7af94e029746a15815d4fe3b2b3bdf07bf |
| SHA256 | c19a88e5cb48f25127a10d7fe223f9beaba761fb05be5ad8472ba3b07f97c5ce |
| SHA512 | 8177a495b83f5853694461e35fd3331252d9a7edd4ef8363a2d5622f99f4e6eaec950166c91491a4b93b5846777ebef53cba9eeb7819c486c34ebec33f0998c5 |
C:\Windows\Logo1_.exe
| MD5 | a7dcffd56f068633bfaf85ec3d65d08b |
| SHA1 | 36cba2a5522ebd673107d63f9d8e1afbdfa236b6 |
| SHA256 | 409f7415b7b10f6d801014ac6b0e3cea785ad5a73ba397f46765bbd3dcf36367 |
| SHA512 | 78dc44535430d92307bfbd5b679159f7032306f3f818b0d5a3264347c227bd8edd0ae07bd9f6beaf91c33ee81a451d01177d08c254ace779dfd66ab9666bf6d1 |
memory/2664-14-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1368-19-0x00000000026F0000-0x00000000026F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe.exe
| MD5 | bde3ac1c9b09fc1b55c6e398009a9c83 |
| SHA1 | fa99711be9d0812383d1f41e9277bd3ba71eb09f |
| SHA256 | 059263f4b3635da33f1bae9789b13f287bce7b8dedc960201e8807e6de9b3fc5 |
| SHA512 | af2ff4728885c6319800f98f4f639f836eb4713272d3dbf38c5f473b91b398747ce6bdc56d32cd0fc2ddc88f3ba1b99e170e6f679341d4c3e5a9eafaf3930e99 |
memory/2780-240-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 05:11
Reported
2024-04-06 05:13
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateComRegisterShell64.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\wmpshare.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\wmlaunch.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdate.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wab.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\servertool.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe | N/A |
| File created | C:\Windows\virDll.dll | C:\Windows\Logo1_.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FF5.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\Logo1_.exe
| MD5 | a7dcffd56f068633bfaf85ec3d65d08b |
| SHA1 | 36cba2a5522ebd673107d63f9d8e1afbdfa236b6 |
| SHA256 | 409f7415b7b10f6d801014ac6b0e3cea785ad5a73ba397f46765bbd3dcf36367 |
| SHA512 | 78dc44535430d92307bfbd5b679159f7032306f3f818b0d5a3264347c227bd8edd0ae07bd9f6beaf91c33ee81a451d01177d08c254ace779dfd66ab9666bf6d1 |
memory/624-7-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 6f1d1fa4eebaf55531b107d0cede0945 |
| SHA1 | f659488b079270563a08968ebcbcb6d4ba9abec8 |
| SHA256 | 4328b24e4273afefe2c1e11ab1c8d1080e1f36bac1ad506cc6f486c15ee65fc4 |
| SHA512 | e45e78e47699aa14f0b83c234b0a8095232f48be713f82c81ca07a014b9c5fc180db6ebcd7e48716a3852c6c9dc19d03d84f90a339f20427fd6114330d13c012 |
C:\Users\Admin\AppData\Local\Temp\$$a4FF5.bat
| MD5 | decbfff3afc5024361240f9397ea1379 |
| SHA1 | 00f5f841de2ecedfde30ea01bd1ca0ebb0074771 |
| SHA256 | caf195d9e5ff28e52d9a9e41417c2c483e13c1eed2b9dfe792b33dbb26c50235 |
| SHA512 | cd9775fb8c4d4b8361e2a84460719d5d827e32f15677904ac604badca731e248588194ae74f40821f96864a232d79fc3fd338d624597292e3e036101128ff574 |
C:\Users\Admin\AppData\Local\Temp\dc13d24e056c80813c44d68d54af8cfd_JaffaCakes118.exe.exe
| MD5 | bde3ac1c9b09fc1b55c6e398009a9c83 |
| SHA1 | fa99711be9d0812383d1f41e9277bd3ba71eb09f |
| SHA256 | 059263f4b3635da33f1bae9789b13f287bce7b8dedc960201e8807e6de9b3fc5 |
| SHA512 | af2ff4728885c6319800f98f4f639f836eb4713272d3dbf38c5f473b91b398747ce6bdc56d32cd0fc2ddc88f3ba1b99e170e6f679341d4c3e5a9eafaf3930e99 |
memory/2508-223-0x0000000000400000-0x0000000000422000-memory.dmp