Analysis Overview
SHA256
147f6e392f4ef9f71e87ca4c96edad03d51135859d4e3ca008f6413dc30a2143
Threat Level: Shows suspicious behavior
The file e56eed158464357f80f853a00f116f0c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 17:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 17:08
Reported
2024-04-07 17:10
Platform
win7-20240220-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MSASCui.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\rmiregistry.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\setup_wm.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\wmpconfig.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\PDIALOG.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\misc.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\tnameserv.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\sidebar.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ktab.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\virDll.dll | C:\Windows\Logo1_.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF9A.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\$$aF9A.bat
| MD5 | 07884b2e8dacb75c50b367b944229b64 |
| SHA1 | 9368e8b35f3f8a853b24fd743dc6e93fc3c636b3 |
| SHA256 | 98a59f0856654614a70473318ba67d8eda153e0548d952f9ff4873276de13547 |
| SHA512 | aeba1a44a5df63010e21e9865636f1f236cc1e86befccaa404d7273d13f5b5a9d705f12774d3bf6c2d190260dde836338de2f454fec0d5fe1038f19f22382c74 |
memory/1636-13-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Windows\Logo1_.exe
| MD5 | 4ac1f1958bd18dab0e549245fd57aed1 |
| SHA1 | 33d4983d999577490b3e64319cea2ec950e3a85e |
| SHA256 | 24d45fc12b81f5d1c33fd09651e127cf77be6fc14685b820db31ae13f933f963 |
| SHA512 | 3a4c70741d0fa54b37ba29398855992644c79e1d4bceeb6bf21cf6d5b33405290179e4f9a9b31bcf1c030319aa20381579f2d9a542fa1f7b6fa09ae1daf80ab0 |
C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe.exe
| MD5 | ef02abcee0ad366488184093977307ba |
| SHA1 | dc2725b96b579c6da27d9e8b817bb4ff17c8d3fe |
| SHA256 | b00f0ce56408d7dbb3171dd65c675fa336acc5b18e7db311c5befa04866549ac |
| SHA512 | 6b121c4b9b4dda65cb2baf492eeb5476b8a35a51a824b0b225e78ef22ce17648d7aab6435307595955df8bcac3bcb6466890a61e48b9975239690b0e8a6640da |
memory/1152-21-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/2464-242-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 17:08
Reported
2024-04-07 17:10
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateCore.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateComRegisterShell64.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeComRegisterShellARM64.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateBroker.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\xjc.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateSetup.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaw.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wab.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wabmig.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\virDll.dll | C:\Windows\Logo1_.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5776.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.141.79.40.in-addr.arpa | udp |
Files
C:\Windows\Logo1_.exe
| MD5 | 4ac1f1958bd18dab0e549245fd57aed1 |
| SHA1 | 33d4983d999577490b3e64319cea2ec950e3a85e |
| SHA256 | 24d45fc12b81f5d1c33fd09651e127cf77be6fc14685b820db31ae13f933f963 |
| SHA512 | 3a4c70741d0fa54b37ba29398855992644c79e1d4bceeb6bf21cf6d5b33405290179e4f9a9b31bcf1c030319aa20381579f2d9a542fa1f7b6fa09ae1daf80ab0 |
memory/2080-6-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Program Files\7-Zip\7zFM.exe
| MD5 | bca678ca2979eba83453139983b606ad |
| SHA1 | 0670a30396af37a2dff921a8e882f2be4d8f3137 |
| SHA256 | 618cbf67cf3517c9cf1d008da90d37054ad1b4241a6ae6aa32e4afde92c24462 |
| SHA512 | ad175fe5274cc93dfc61505d3e03dc0d100cce95529cf73f63bdecc5ff183d2cc482bd124a56d9105e19a1c2785d79b94255a7c1671789420b96decd9ca5b114 |
C:\Users\Admin\AppData\Local\Temp\$$a5776.bat
| MD5 | ff7e4485be86d4ff4536255da2cc084c |
| SHA1 | 1a1925d23c9d666e693b56c65bc556bada62056c |
| SHA256 | d20d71c01de3b10a967b5c94e1b7a1a8cc0107ae1573fa9d44024aba0980a59c |
| SHA512 | 50a1c2ae4389134865a15a8f21ec56ed83e330785abc6318de73a54e120a9daaddb65a7f88a4f8587307f959239465be079665e22c1f0574849aeb5fa9357697 |
C:\Users\Admin\AppData\Local\Temp\e56eed158464357f80f853a00f116f0c_JaffaCakes118.exe.exe
| MD5 | ef02abcee0ad366488184093977307ba |
| SHA1 | dc2725b96b579c6da27d9e8b817bb4ff17c8d3fe |
| SHA256 | b00f0ce56408d7dbb3171dd65c675fa336acc5b18e7db311c5befa04866549ac |
| SHA512 | 6b121c4b9b4dda65cb2baf492eeb5476b8a35a51a824b0b225e78ef22ce17648d7aab6435307595955df8bcac3bcb6466890a61e48b9975239690b0e8a6640da |
memory/5056-221-0x0000000000400000-0x0000000000422000-memory.dmp