Malware Analysis Report

2025-03-14 22:27

Sample ID 240407-3c1jgahf3t
Target e619c0199a77559eadae1249d97bde3e_JaffaCakes118
SHA256 e1be2c86ac30e33bccdf62c83d3aec2ddedaa09402a9ddf609bfd17eae68f232
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1be2c86ac30e33bccdf62c83d3aec2ddedaa09402a9ddf609bfd17eae68f232

Threat Level: Known bad

The file e619c0199a77559eadae1249d97bde3e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:22

Reported

2024-04-07 23:25

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\ldcioy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ldcioy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /N" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /w" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /U" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /Q" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /l" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /c" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /e" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /O" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /j" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /V" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /i" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /m" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /r" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /p" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /C" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /q" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /Y" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /g" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /n" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /P" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /b" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /W" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /G" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /y" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /t" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /R" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /Z" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /D" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /a" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /E" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /F" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /d" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /A" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /k" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /x" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /u" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /h" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /s" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /M" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /I" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /X" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /B" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /H" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /f" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /K" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /v" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /S" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /J" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /L" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /z" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /o" C:\Users\Admin\ldcioy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldcioy = "C:\\Users\\Admin\\ldcioy.exe /T" C:\Users\Admin\ldcioy.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\ldcioy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe"

C:\Users\Admin\ldcioy.exe

"C:\Users\Admin\ldcioy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.player1253.com udp
US 8.8.8.8:53 ns1.videoall.net udp
US 8.8.8.8:53 ns1.mediashares.org udp
US 104.155.138.21:8000 ns1.mediashares.org tcp

Files

\Users\Admin\ldcioy.exe

MD5 4cf75fe02833e2a2119af67bf03d0960
SHA1 b6f83af3e6696372215c2a4a488fba8f17ca2f3e
SHA256 fda85b187f71a1203e55ff340d669813582b1f7a353ebb73f2bf0dc26534946c
SHA512 5e1be501ea3b9518716e25f9a69a49211575ca3bc5df30e18962ef5609f8e0bc5396a6cc01620ed91e4fdd361763a72c3ef175175547c1e21acbc658068a2637

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:22

Reported

2024-04-07 23:25

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\vaopua.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\vaopua.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /g" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /p" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /v" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /Z" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /K" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /d" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /E" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /t" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /N" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /q" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /V" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /w" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /P" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /C" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /l" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /Y" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /R" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /e" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /u" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /k" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /A" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /j" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /i" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /m" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /z" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /r" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /H" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /f" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /h" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /X" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /I" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /F" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /U" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /J" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /o" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /c" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /D" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /T" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /B" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /s" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /y" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /a" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /n" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /Q" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /x" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /b" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /M" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /O" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /W" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /S" C:\Users\Admin\vaopua.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaopua = "C:\\Users\\Admin\\vaopua.exe /G" C:\Users\Admin\vaopua.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\vaopua.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e619c0199a77559eadae1249d97bde3e_JaffaCakes118.exe"

C:\Users\Admin\vaopua.exe

"C:\Users\Admin\vaopua.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 ns1.player1253.com udp
US 8.8.8.8:53 ns1.videoall.net udp
US 8.8.8.8:53 ns1.mediashares.org udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp

Files

C:\Users\Admin\vaopua.exe

MD5 64df989fd6e6975d1566f296ce437b98
SHA1 c62d7510b16c97f8462cfd70a328e67ac764e10d
SHA256 1a02816d0d93a2f4d590760ed401764e174167479335e27d86d68fa497276e7c
SHA512 bcc3dcc6fc40fb3a48235aecc8dfd771e5970224077d85ab44f2651491215384c7a0faeab8ef90540b396c1b3690785efe3a945f3eebef6f2ee56dde939f2126